CVE-2023-6837

Summary

Multiple WSO2 products have been identified as vulnerable to perform user impersonatoin using JIT provisioning. In order for this vulnerability to have any impact on your deployment, following conditions must be met:

  • An IDP configured for federated authentication and JIT provisioning enabled with the "Prompt for username, password and consent" option.
  • A service provider that uses the above IDP for federated authentication and has the "Assert identity using mapped local subject identifier" flag enabled.

Attacker should have:

  • A fresh valid user account in the federated IDP that has not been used earlier.
  • Knowledge of the username of a valid user in the local IDP.

When all preconditions are met, a malicious actor could use JIT provisioning flow to perform user impersonation.

Affected Software

VendorProductVersion RangeStatus
WSO2WSO2 API Manager0 < 2.5.0unknown
WSO2WSO2 API Manager2.5.0 < 2.5.0.32affected
WSO2WSO2 API Manager2.6.0 < 2.6.0.52affected
WSO2WSO2 API Manager3.0.0 < 3.0.0.50affected
WSO2WSO2 API Manager3.1.0 < 3.1.0.72affected
WSO2WSO2 API Manager3.2.0 < 3.2.0.86affected
WSO2WSO2 API Manager4.0.0 < 4.0.0.35affected
WSO2WSO2 Identity Server0 < 5.6.0unknown
WSO2WSO2 Identity Server5.6.0 < 5.6.0.16affected
WSO2WSO2 Identity Server5.7.0 < 5.7.0.35affected
WSO2WSO2 Identity Server5.8.0 < 5.8.0.26affected
WSO2WSO2 Identity Server5.9.0 < 5.9.0.38affected
WSO2WSO2 Identity Server5.10.0 < 5.10.0.78affected
WSO2WSO2 Identity Server5.11.0 < 5.11.0.69affected
WSO2WSO2 Identity Server as Key Manager0 < 5.6.0unknown
WSO2WSO2 Identity Server as Key Manager5.6.0 < 5.6.0.17affected
WSO2WSO2 Identity Server as Key Manager5.7.0 < 5.7.0.39affected
WSO2WSO2 Identity Server as Key Manager5.9.0 < 5.9.0.45affected
WSO2WSO2 Identity Server as Key Manager5.10.0 < 5.10.0.80affected
WSO2WSO2 Carbon Identity Application Authentication Framework5.11.256 < 5.11.256.3affected
WSO2WSO2 Carbon Identity Application Authentication Framework5.12.153 < 5.12.153.21affected
WSO2WSO2 Carbon Identity Application Authentication Framework5.12.387 < 5.12.387.7affected
WSO2WSO2 Carbon Identity Application Authentication Framework5.14.97 < 5.14.97.22affected
WSO2WSO2 Carbon Identity Application Authentication Framework5.17.5 < 5.17.5.106affected
WSO2WSO2 Carbon Identity Application Authentication Framework5.18.187 < 5.18.187.76affected
WSO2WSO2 Carbon Identity Application Authentication Framework5.20.254 <= *unaffected

Weaknesses

  • CWE-863: CWE-863 Incorrect Authorization

ADP Enrichment

CVE Program Container

Additional References

References