CVE-2024-7096

Summary

A privilege escalation vulnerability exists in multiple WSO2 products due to a business logic flaw in SOAP admin services. A malicious actor can create a new user with elevated permissions only when all of the following conditions are met:

  • SOAP admin services are accessible to the attacker.
  • The deployment includes an internally used attribute that is not part of the default WSO2 product configuration.
  • At least one custom role exists with non-default permissions.
  • The attacker has knowledge of the custom role and the internal attribute used in the deployment.

Exploiting this vulnerability allows malicious actors to assign higher privileges to self-registered users, bypassing intended access control mechanisms.

Affected Software

VendorProductVersion RangeStatus
WSO2WSO2 Open Banking IAM0 < 2.0.0unknown
WSO2WSO2 Open Banking IAM2.0.0 < 2.0.0.364affected
WSO2WSO2 Open Banking AM0 < 1.3.0unknown
WSO2WSO2 Open Banking AM1.3.0 < 1.3.0.131affected
WSO2WSO2 Open Banking AM1.4.0 < 1.4.0.134affected
WSO2WSO2 Open Banking AM1.5.0 < 1.5.0.136affected
WSO2WSO2 Open Banking AM2.0.0 < 2.0.0.343affected
WSO2WSO2 API Manager0 < 2.0.0unknown
WSO2WSO2 API Manager2.0.0 < 2.0.0.29affected
WSO2WSO2 API Manager2.1.0 < 2.1.0.39affected
WSO2WSO2 API Manager2.2.0 < 2.2.0.56affected
WSO2WSO2 API Manager2.5.0 < 2.5.0.83affected
WSO2WSO2 API Manager2.6.0 < 2.6.0.142affected
WSO2WSO2 API Manager3.0.0 < 3.0.0.162affected
WSO2WSO2 API Manager3.1.0 < 3.1.0.294affected
WSO2WSO2 API Manager3.2.0 < 3.2.0.384affected
WSO2WSO2 API Manager3.2.1 < 3.2.1.16affected
WSO2WSO2 API Manager4.0.0 < 4.0.0.305affected
WSO2WSO2 API Manager4.1.0 < 4.1.0.166affected
WSO2WSO2 API Manager4.2.0 < 4.2.0.101affected
WSO2WSO2 API Manager4.3.0 < 4.3.0.16affected
WSO2WSO2 Enterprise Mobility Manager2.2.0 < 2.2.0.26affected
WSO2WSO2 Identity Server0 < 5.2.0unknown
WSO2WSO2 Identity Server5.2.0 < 5.2.0.32affected
WSO2WSO2 Identity Server5.3.0 < 5.3.0.33affected
WSO2WSO2 Identity Server5.4.1 < 5.4.1.36affected
WSO2WSO2 Identity Server5.5.0 < 5.5.0.50affected
WSO2WSO2 Identity Server5.6.0 < 5.6.0.58affected
WSO2WSO2 Identity Server5.7.0 < 5.7.0.123affected
WSO2WSO2 Identity Server5.8.0 < 5.8.0.106affected
WSO2WSO2 Identity Server5.9.0 < 5.9.0.157affected
WSO2WSO2 Identity Server5.10.0 < 5.10.0.318affected
WSO2WSO2 Identity Server5.11.0 < 5.11.0.365affected
WSO2WSO2 Identity Server6.0.0 < 6.0.0.209affected
WSO2WSO2 Identity Server6.1.0 < 6.1.0.188affected
WSO2WSO2 Identity Server7.0.0 < 7.0.0.60affected
WSO2WSO2 Identity Server as Key Manager0 < 5.3.0unknown
WSO2WSO2 Identity Server as Key Manager5.3.0 < 5.3.0.38affected
WSO2WSO2 Identity Server as Key Manager5.5.0 < 5.5.0.51affected
WSO2WSO2 Identity Server as Key Manager5.6.0 < 5.6.0.72affected
WSO2WSO2 Identity Server as Key Manager5.7.0 < 5.7.0.122affected
WSO2WSO2 Identity Server as Key Manager5.9.0 < 5.9.0.165affected
WSO2WSO2 Identity Server as Key Manager5.10.0 < 5.10.0.312affected
WSO2WSO2 Open Banking KM0 < 1.3.0unknown
WSO2WSO2 Open Banking KM1.3.0 < 1.3.0.114affected
WSO2WSO2 Open Banking KM1.4.0 < 1.4.0.130affected
WSO2WSO2 Open Banking KM1.5.0 < 1.5.0.120affected

Weaknesses

  • CWE-863: CWE-863 Incorrect Authorization

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References