CVE-2024-7097

Summary

An incorrect authorization vulnerability exists in multiple WSO2 products due to a flaw in the SOAP admin service, which allows user account creation regardless of the self-registration configuration settings. This vulnerability enables malicious actors to create new user accounts without proper authorization.

Exploitation of this flaw could allow an attacker to create multiple low-privileged user accounts, gaining unauthorized access to the system. Additionally, continuous exploitation could lead to system resource exhaustion through mass user creation.

Affected Software

VendorProductVersion RangeStatus
WSO2WSO2 Open Banking AM0 < 1.3.0unknown
WSO2WSO2 Open Banking AM1.3.0 < 1.3.0.131affected
WSO2WSO2 Open Banking AM1.4.0 < 1.4.0.134affected
WSO2WSO2 Open Banking AM1.5.0 < 1.5.0.136affected
WSO2WSO2 Open Banking AM2.0.0 < 2.0.0.343affected
WSO2WSO2 Open Banking KM0 < 1.3.0unknown
WSO2WSO2 Open Banking KM1.3.0 < 1.3.0.114affected
WSO2WSO2 Open Banking KM1.4.0 < 1.4.0.130affected
WSO2WSO2 Open Banking KM1.5.0 < 1.5.0.120affected
WSO2WSO2 Identity Server as Key Manager0 < 5.3.0unknown
WSO2WSO2 Identity Server as Key Manager5.3.0 < 5.3.0.38affected
WSO2WSO2 Identity Server as Key Manager5.5.0 < 5.5.0.51affected
WSO2WSO2 Identity Server as Key Manager5.6.0 < 5.6.0.72affected
WSO2WSO2 Identity Server as Key Manager5.7.0 < 5.7.0.122affected
WSO2WSO2 Identity Server as Key Manager5.9.0 < 5.9.0.165affected
WSO2WSO2 Identity Server as Key Manager5.10.0 < 5.10.0.312affected
WSO2WSO2 API Manager0 < 2.0.0unknown
WSO2WSO2 API Manager2.0.0 < 2.0.0.29affected
WSO2WSO2 API Manager2.1.0 < 2.1.0.39affected
WSO2WSO2 API Manager2.2.0 < 2.2.0.56affected
WSO2WSO2 API Manager2.5.0 < 2.5.0.83affected
WSO2WSO2 API Manager2.6.0 < 2.6.0.142affected
WSO2WSO2 API Manager3.0.0 < 3.0.0.162affected
WSO2WSO2 API Manager3.1.0 < 3.1.0.294affected
WSO2WSO2 API Manager3.2.0 < 3.2.0.384affected
WSO2WSO2 API Manager3.2.1 < 3.2.1.16affected
WSO2WSO2 API Manager4.0.0 < 4.0.0.305affected
WSO2WSO2 API Manager4.1.0 < 4.1.0.166affected
WSO2WSO2 API Manager4.2.0 < 4.2.0.101affected
WSO2WSO2 API Manager4.3.0 < 4.3.0.16affected
WSO2WSO2 Identity Server0 < 5.2.0unknown
WSO2WSO2 Identity Server5.2.0 < 5.2.0.32affected
WSO2WSO2 Identity Server5.3.0 < 5.3.0.33affected
WSO2WSO2 Identity Server5.4.0 < 5.4.0.32affected
WSO2WSO2 Identity Server5.4.1 < 5.4.1.36affected
WSO2WSO2 Identity Server5.5.0 < 5.5.0.50affected
WSO2WSO2 Identity Server5.6.0 < 5.6.0.58affected
WSO2WSO2 Identity Server5.7.0 < 5.7.0.123affected
WSO2WSO2 Identity Server5.8.0 < 5.8.0.106affected
WSO2WSO2 Identity Server5.9.0 < 5.9.0.157affected
WSO2WSO2 Identity Server5.10.0 < 5.10.0.318affected
WSO2WSO2 Identity Server5.11.0 < 5.11.0.365affected
WSO2WSO2 Identity Server6.0.0 < 6.0.0.209affected
WSO2WSO2 Identity Server6.1.0 < 6.1.0.188affected
WSO2WSO2 Identity Server7.0.0 < 7.0.0.60affected
WSO2WSO2 Open Banking IAM0 < 2.0.0unknown
WSO2WSO2 Open Banking IAM2.0.0 < 2.0.0.364affected
WSO2WSO2 Enterprise Mobility Manager2.2.0 < 2.2.0.26affected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References