CVE-2024-1248

Summary

The silent Just-In-Time (JIT) provisioning feature in federated authentication implementations fails to properly segregate user roles during account creation when a federated user shares a username with a local user. This allows the provisioning process to overwrite existing roles of local users with roles assigned to the federated user.

Exploitation requires a federated identity provider (IDP) with silent JIT provisioning enabled and an attacker's knowledge of a local user's username. When these conditions are met, a malicious individual can leverage the JIT provisioning process to modify the roles of local users. The overwritten roles are limited to those defined within the federated IDP, typically granting minimal access rights unless explicitly configured otherwise by the federated IDP administrator.

Affected Software

VendorProductVersion RangeStatus
WSO2WSO2 API Manager0 < 3.0.0unknown
WSO2WSO2 API Manager3.0.0 < 3.0.0.153affected
WSO2WSO2 API Manager3.1.0 < 3.1.0.267affected
WSO2WSO2 API Manager3.2.0 < 3.2.0.351affected
WSO2WSO2 API Manager4.0.0 < 4.0.0.269affected
WSO2WSO2 API Manager4.1.0 < 4.1.0.169affected
WSO2WSO2 Identity Server0 < 5.8.0unknown
WSO2WSO2 Identity Server5.8.0 < 5.8.0.101affected
WSO2WSO2 Identity Server5.9.0 < 5.9.0.138affected
WSO2WSO2 Identity Server5.10.0 < 5.10.0.284affected
WSO2WSO2 Identity Server5.11.0 < 5.11.0.321affected
WSO2WSO2 Identity Server as Key Manager0 < 5.9.0unknown
WSO2WSO2 Identity Server as Key Manager5.9.0 < 5.9.0.148affected
WSO2WSO2 Identity Server as Key Manager5.10.0 < 5.10.0.280affected
WSO2WSO2 Open Banking AM0 < 2.0.0unknown
WSO2WSO2 Open Banking AM2.0.0 < 2.0.0.313affected
WSO2WSO2 Open Banking IAM0 < 2.0.0unknown
WSO2WSO2 Open Banking IAM2.0.0 < 2.0.0.333affected

Weaknesses

  • CWE-298: CWE-298: Improper Handling of Identity During Provisioning

References