Wso2 Api Manager
CVE-2024-1248
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from Vendor (WSO2).
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionNVD
The silent Just-In-Time (JIT) provisioning feature in federated authentication implementations fails to properly segregate user roles during account creation when a federated user shares a username with a local user. This allows the provisioning process to overwrite existing roles of local users with roles assigned to the federated user.
Exploitation requires a federated identity provider (IDP) with silent JIT provisioning enabled and an attacker's knowledge of a local user's username. When these conditions are met, a malicious individual can leverage the JIT provisioning process to modify the roles of local users. The overwritten roles are limited to those defined within the federated IDP, typically granting minimal access rights unless explicitly configured otherwise by the federated IDP administrator.
AnalysisAI
The silent Just-In-Time (JIT) provisioning feature in federated authentication implementations fails to properly segregate user roles during account creation when a federated user shares a username. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-298. The silent Just-In-Time (JIT) provisioning feature in federated authentication implementations fails to properly segregate user roles during account creation when a federated user shares a username with a local user. This allows the provisioning process to overwrite existing roles of local users with roles assigned to the federated user. Exploitation requires a federated identity provider (IDP) with silent JIT provisioning enabled and an attacker's knowledge of a local user's username. When these conditions are met, a malicious individual can leverage the JIT provisioning process to modify the roles of local users. The overwritten roles are limited to those defined within the federated IDP, typically granting minimal access rights unless explicitly configured otherwise by the federated IDP administrator. Affected products include: Wso2 Wso2 Api Manager, Wso2 Wso2 Identity Server, Wso2 Wso2 Identity Server As Key Manager, Wso2 Wso2 Open Banking Am, Wso2 Wso2 Open Banking Iam.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More in Wso2 Api Manager
View allServer-side request forgery in WSO2 API Manager lets unauthenticated remote attackers coerce the gateway into making ser
Persistent denial of service in multiple WSO2 products - including WSO2 API Manager, WSO2 Universal Gateway, WSO2 Traffi
The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the
Role-based access control bypass in WSO2 API Manager 3.x allows authenticated users with the 'Internal/Everyone' role to
Reflected cross-site scripting across at least eight WSO2 platform products - including Identity Server, API Manager, AP
The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response.
The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script
The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or p
HTTP response header injection in WSO2 Webhook API invocations allows unauthenticated remote attackers to inject or over
Cross-tenant consent leakage in WSO2 Identity Server and WSO2 API Manager multi-tenant deployments lets a SaaS applicati
The component accepts XML input through the publisher without disabling external entity resolution. Rated low severity (
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today