CVE-2024-0391
5.3
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Summary
The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts.
The discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage this information to craft targeted phishing campaigns or other malicious activities aimed at tricking users into divulging sensitive data, potentially damaging the organization's reputation and leading to regulatory non-compliance and financial consequences.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| WSO2 | WSO2 Identity Server | 0 < 5.10.0 | unknown |
| WSO2 | WSO2 Identity Server | 5.10.0 < 5.10.0.379 | affected |
| WSO2 | WSO2 Identity Server | 5.11.0 < 5.11.0.426 | affected |
| WSO2 | WSO2 Identity Server | 5.11.0 < 5.11.0.431 | affected |
| WSO2 | WSO2 Identity Server | 6.0.0 < 6.0.0.253 | affected |
| WSO2 | WSO2 Identity Server | 6.1.0 < 6.1.0.254 | affected |
| WSO2 | WSO2 Identity Server | 7.0.0 < 7.0.0.131 | affected |
| WSO2 | WSO2 Open Banking IAM | 0 < 2.0.0 | unknown |
| WSO2 | WSO2 Open Banking IAM | 2.0.0 < 2.0.0.318 | affected |
| WSO2 | WSO2 Identity Server as Key Manager | 0 < 5.10.0 | unknown |
| WSO2 | WSO2 Identity Server as Key Manager | 5.10.0 < 5.10.0.267 | affected |
| WSO2 | Email OTP Authenticator | 1.0.18 < 1.0.18.7 | affected |
| WSO2 | Email OTP Authenticator | 1.0.24 <= * | unaffected |
| WSO2 | WSO2 Carbon Authenticator Library For EmailOTP | 4.1.0 < 4.1.0.8 | affected |
| WSO2 | WSO2 Carbon Authenticator Library For EmailOTP | 4.1.4 < 4.1.4.9 | affected |
| WSO2 | WSO2 Carbon Authenticator Library For EmailOTP | 4.1.22 <= * | unaffected |
| WSO2 | WSO2 Carbon Authenticator Library For EmailOTP | 3.0.5 < 3.0.5.8 | affected |
| WSO2 | WSO2 Carbon Authenticator Library For EmailOTP | 3.0.24 < 3.0.24.6 | affected |
| WSO2 | WSO2 Carbon Authenticator Library For EmailOTP | 3.0.26 < 3.0.26.16 | affected |
Weaknesses
- CWE-204: CWE-204 Observable response discrepancy
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.