CVE-2024-7073

Summary

A server-side request forgery (SSRF) vulnerability exists in multiple WSO2 products due to improper input validation in SOAP admin services. This flaw allows unauthenticated attackers to manipulate server-side requests, enabling access to internal and external resources available through the network or filesystem.

Exploitation of this vulnerability could lead to unauthorized access to sensitive data and systems, including resources within private networks, as long as they are reachable by the affected product.

Affected Software

VendorProductVersion RangeStatus
WSO2WSO2 Identity Server as Key Manager0 < 5.3.0unknown
WSO2WSO2 Identity Server as Key Manager5.3.0 < 5.3.0.37affected
WSO2WSO2 Identity Server as Key Manager5.5.0 < 5.5.0.50affected
WSO2WSO2 Identity Server as Key Manager5.6.0 < 5.6.0.71affected
WSO2WSO2 Identity Server as Key Manager5.7.0 < 5.7.0.122affected
WSO2WSO2 Identity Server as Key Manager5.9.0 < 5.9.0.165affected
WSO2WSO2 Identity Server as Key Manager5.10.0 < 5.10.0.312affected
WSO2WSO2 Identity Server0 < 5.2.0unknown
WSO2WSO2 Identity Server5.2.0 < 5.2.0.32affected
WSO2WSO2 Identity Server5.3.0 < 5.3.0.32affected
WSO2WSO2 Identity Server5.4.0 < 5.4.0.31affected
WSO2WSO2 Identity Server5.4.1 < 5.4.1.36affected
WSO2WSO2 Identity Server5.5.0 < 5.5.0.49affected
WSO2WSO2 Identity Server5.6.0 < 5.6.0.57affected
WSO2WSO2 Identity Server5.7.0 < 5.7.0.123affected
WSO2WSO2 Identity Server5.8.0 < 5.8.0.105affected
WSO2WSO2 Identity Server5.9.0 < 5.9.0.156affected
WSO2WSO2 Identity Server5.10.0 < 5.10.0.318affected
WSO2WSO2 Identity Server5.11.0 < 5.11.0.364affected
WSO2WSO2 Identity Server6.0.0 < 6.0.0.208affected
WSO2WSO2 Identity Server6.1.0 < 6.1.0.187affected
WSO2WSO2 Identity Server7.0.0 < 7.0.0.59affected
WSO2WSO2 Open Banking KM0 < 1.3.0unknown
WSO2WSO2 Open Banking KM1.3.0 < 1.3.0.114affected
WSO2WSO2 Open Banking KM1.4.0 < 1.4.0.130affected
WSO2WSO2 Open Banking KM1.5.0 < 1.5.0.120affected
WSO2WSO2 Open Banking IAM0 < 2.0.0unknown
WSO2WSO2 Open Banking IAM2.0.0 < 2.0.0.363affected
WSO2WSO2 Carbon Policy Editor BE5.2.2 < 5.2.2.14affected
WSO2WSO2 Carbon Policy Editor BE5.7.5 < 5.7.5.15affected
WSO2WSO2 Carbon Policy Editor BE5.10.86 < 5.10.86.5affected
WSO2WSO2 Carbon Policy Editor BE5.10.112 < 5.10.112.16affected
WSO2WSO2 Carbon Policy Editor BE5.11.148 < 5.11.148.15affected
WSO2WSO2 Carbon Policy Editor BE5.11.256 < 5.11.256.17affected
WSO2WSO2 Carbon Policy Editor BE5.12.153 < 5.12.153.59affected
WSO2WSO2 Carbon Policy Editor BE5.12.387 < 5.12.387.42affected
WSO2WSO2 Carbon Policy Editor BE5.14.97 < 5.14.97.76affected
WSO2WSO2 Carbon Policy Editor BE5.17.5 < 5.17.5.284affected
WSO2WSO2 Carbon Policy Editor BE5.18.187 < 5.18.187.268affected
WSO2WSO2 Carbon Policy Editor BE5.23.8 < 5.23.8.186affected
WSO2WSO2 Carbon Policy Editor BE5.25.92 < 5.25.92.95affected
WSO2WSO2 Carbon Policy Editor BE7.0.78 < 7.0.78.35affected
WSO2WSO2 Carbon Policy Editor BE7.4.3 <= *unaffected

Weaknesses

  • CWE-918: CWE-918 Server-Side Request Forgery (SSRF)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References