Api Manager
CVE-2023-6837
HIGH
Severity by source
AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N
Lifecycle Timeline
1Blast Radius
ecosystem impact- 22 maven packages depend on org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.authentication.framework (9 direct, 13 indirect)
Ecosystem-wide dependent count for version 5.20.254.
DescriptionNVD
Multiple WSO2 products have been identified as vulnerable to perform user impersonatoin using JIT provisioning. In order for this vulnerability to have any impact on your deployment, following conditions must be met:
- An IDP configured for federated authentication and JIT provisioning enabled with the "Prompt for username, password and consent" option.
- A service provider that uses the above IDP for federated authentication and has the "Assert identity using mapped local subject identifier" flag enabled.
Attacker should have:
- A fresh valid user account in the federated IDP that has not been used earlier.
- Knowledge of the username of a valid user in the local IDP.
When all preconditions are met, a malicious actor could use JIT provisioning flow to perform user impersonation.
AnalysisAI
Multiple WSO2 products have been identified as vulnerable to perform user impersonatoin using JIT provisioning. Rated high severity (CVSS 8.2), this vulnerability is remotely exploitable. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Incorrect Authorization (CWE-863), which allows attackers to bypass authorization checks to access restricted resources. Multiple WSO2 products have been identified as vulnerable to perform user impersonatoin using JIT provisioning. In order for this vulnerability to have any impact on your deployment, following conditions must be met: * An IDP configured for federated authentication and JIT provisioning enabled with the "Prompt for username, password and consent" option. * A service provider that uses the above IDP for federated authentication and has the "Assert identity using mapped local subject identifier" flag enabled. Attacker should have: * A fresh valid user account in the federated IDP that has not been used earlier. * Knowledge of the username of a valid user in the local IDP. When all preconditions are met, a malicious actor could use JIT provisioning flow to perform user impersonation. Affected products include: Wso2 Api Manager, Wso2 Identity Server, Wso2 Identity Server As Key Manager, Wso2 Carbon Identity Application Authentication Endpoint, Wso2 Carbon Identity Application Authentication Framework.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Review and test authorization logic, implement consistent access control checks, use centralized authorization framework.
More in Api Manager
View allCertain WSO2 products allow unrestricted file upload with resultant remote code execution. Rated critical severity (CVSS
An incorrect authorization vulnerability exists in multiple WSO2 products due to a flaw in the SOAP admin service, which
The Management Console in WSO2 API Manager through 3.1.0 and API Microgateway 2.2.0 allows XML External Entity injection
A reflected cross-site scripting (XSS) vulnerability in /authenticationendpoint/login.do of WSO2 API Manager before 4.2.
A reflected XSS issue exists in the Management Console of several WSO2 products. Rated medium severity (CVSS 6.1), this
Cross-Site Scripting (XSS) vulnerability on WSO2 API Manager 3.1.0. Rated medium severity (CVSS 6.1), this vulnerability
WSO2 API Manager 3.0.0 does not properly restrict outbound network access from a Publisher node, opening up the possibil
WSO2 Data Analytics Server 3.1.0 has XSS in carbon/resources/add_collection_ajaxprocessor.jsp via the collectionName or
Due to the improper configuration of XML parser, user-supplied XML is parsed without applying sufficient restrictions, e
The Management Console in WSO2 API Manager through 3.1.0 and API Microgateway 2.2.0 allows XML Entity Expansion attacks.
An issue was discovered in certain WSO2 products. Rated high severity (CVSS 8.8), this vulnerability is remotely exploit
An issue was discovered in certain WSO2 products. Rated high severity (CVSS 8.8), this vulnerability is remotely exploit
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today