CVE-2024-0391

Summary

The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts.

The discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage this information to craft targeted phishing campaigns or other malicious activities aimed at tricking users into divulging sensitive data, potentially damaging the organization's reputation and leading to regulatory non-compliance and financial consequences.

Affected Software

VendorProductVersion RangeStatus
WSO2WSO2 Identity Server0 < 5.10.0unknown
WSO2WSO2 Identity Server5.10.0 < 5.10.0.379affected
WSO2WSO2 Identity Server5.11.0 < 5.11.0.426affected
WSO2WSO2 Identity Server5.11.0 < 5.11.0.431affected
WSO2WSO2 Identity Server6.0.0 < 6.0.0.253affected
WSO2WSO2 Identity Server6.1.0 < 6.1.0.254affected
WSO2WSO2 Identity Server7.0.0 < 7.0.0.131affected
WSO2WSO2 Open Banking IAM0 < 2.0.0unknown
WSO2WSO2 Open Banking IAM2.0.0 < 2.0.0.318affected
WSO2WSO2 Identity Server as Key Manager0 < 5.10.0unknown
WSO2WSO2 Identity Server as Key Manager5.10.0 < 5.10.0.267affected
WSO2Email OTP Authenticator1.0.18 < 1.0.18.7affected
WSO2Email OTP Authenticator1.0.24 <= *unaffected
WSO2WSO2 Carbon Authenticator Library For EmailOTP4.1.0 < 4.1.0.8affected
WSO2WSO2 Carbon Authenticator Library For EmailOTP4.1.4 < 4.1.4.9affected
WSO2WSO2 Carbon Authenticator Library For EmailOTP4.1.22 <= *unaffected
WSO2WSO2 Carbon Authenticator Library For EmailOTP3.0.5 < 3.0.5.8affected
WSO2WSO2 Carbon Authenticator Library For EmailOTP3.0.24 < 3.0.24.6affected
WSO2WSO2 Carbon Authenticator Library For EmailOTP3.0.26 < 3.0.26.16affected

Weaknesses

  • CWE-204: CWE-204 Observable response discrepancy

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References