Federated Authentication Role Overwrite in WSO2 Products
CVE-2024-1248

4.8MEDIUM

What is CVE-2024-1248?

The silent Just-In-Time (JIT) provisioning feature in WSO2 Identity Server fails to properly segregate roles when a federated user shares a username with a local user. This oversight can lead to the unintended modification of local user roles during the account creation process by a malicious actor who exploits the JIT provisioning mechanism. The attack requires knowledge of a local username and the presence of a federated identity provider with JIT provisioning enabled. Once successfully exploited, the roles of local users can be overwritten with those assigned to the federated user, posing a risk of unauthorized access.

Affected Version(s)

WSO2 API Manager 3.0.0 < 3.0.0.153

WSO2 API Manager 3.1.0 < 3.1.0.267

WSO2 API Manager 3.2.0 < 3.2.0.351

References

CVSS V3.1

Score:
4.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.