Server-Side Request Forgery Vulnerability in WSO2 Products
CVE-2024-7073

6.5MEDIUM

Key Information:

Vendor: Wso2
Status: Wso2 Identity Server As Key Manager; Wso2 Identity Server; Wso2 Open Banking Km; Wso2 Open Banking Iam
Vendor: CVE Published:; 2 June 2025

What is CVE-2024-7073?

A server-side request forgery (SSRF) vulnerability exists in various WSO2 products due to inadequate input validation in SOAP admin services. This security flaw enables unauthenticated attackers to craft malicious requests that manipulate server-side processes. By exploiting this vulnerability, attackers can gain unauthorized access to sensitive data and resources, including those within private networks, enhancing the risk of data breaches and unauthorized system manipulation. It is crucial for users of these WSO2 products to apply recommended security patches and updates to safeguard their systems.

Affected Version(s)

WSO2 Carbon Policy Editor BE 5.2.2 < 5.2.2.14

WSO2 Carbon Policy Editor BE 5.7.5 < 5.7.5.15

WSO2 Carbon Policy Editor BE 5.10.86 < 5.10.86.5

References

https://security.docs.wso2.com/en/latest/security-announc...

vendor-advisory

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 2, 2025
Vulnerability Reserved
Jul 24, 2024

Wso2

What is CVE-2024-7073?

Affected Version(s)

References

CVSS V3.1

Timeline