CVE-2020-24703
First published: Thu Aug 27 2020(Updated: )
An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager 2.2.0, API Manager Analytics 2.2.0, API Microgateway 2.2.0, Data Analytics Server 3.2.0, Enterprise Integrator through 6.6.0, IS as Key Manager 5.5.0, Identity Server 5.5.0 and 5.8.0, Identity Server Analytics 5.5.0, and IoT Server 3.3.0 and 3.3.1.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| =2.2.0 | ||
| =2.2.0 | ||
| =2.2.0 | ||
| =3.2.0 | ||
| <=6.6.0 | ||
| =5.5.0 | ||
| =5.8.0 | ||
| =5.5.0 | ||
| =5.5.0 | ||
| =3.3.0 | ||
| =3.3.1 | ||
| WSO2 API Manager | =2.2.0 | |
| Wso2 Api Manager Analytics | =2.2.0 | |
| WSO2 API Microgateway | =2.2.0 | |
| WSO2 Data Analytics Server | =3.2.0 | |
| WSO2 Enterprise Integrator | <=6.6.0 | |
| WSO2 Identity Server | =5.5.0 | |
| WSO2 Identity Server | =5.8.0 | |
| WSO2 Identity Server Analytics | =5.5.0 | |
| WSO2 Identity Server as Key Manager | =5.5.0 | |
| Wso2 Iot Server | =3.3.0 | |
| Wso2 Iot Server | =3.3.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID for this issue?
The vulnerability ID for this issue is CVE-2020-24703.
Which WSO2 products are affected by this vulnerability?
This vulnerability affects API Manager 2.2.0, API Manager Analytics 2.2.0, API Microgateway 2.2.0, Data Analytics Server 3.2.0, Enterprise Integrator up to 6.6.0, Identity Server 5.5.0 and 5.8.0, Identity Server Analytics 5.5.0, Identity Server as Key Manager 5.5.0, IoT Server 3.3.0 and 3.3.1.
What is the severity of CVE-2020-24703?
The severity of CVE-2020-24703 is high with a CVSS score of 8.8.
What is the issue in this vulnerability?
The issue in this vulnerability is that a valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, leading to session hijacking.
How can I fix CVE-2020-24703?
To fix CVE-2020-24703, it is recommended to apply the necessary patches or updates provided by WSO2 and follow the recommendations mentioned in the security advisory.
- collector/nvd-index
- agent/first-publish-date
- agent/type
- agent/last-modified-date
- agent/softwarecombine
- agent/severity
- agent/author
- agent/references
- agent/description
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/tags
- agent/event
- collector/mitre-cve
- source/MITRE
- vendor/wso2
- canonical/wso2 api manager
- version/wso2 api manager/2.2.0
- canonical/wso2 api manager analytics
- version/wso2 api manager analytics/2.2.0
- canonical/wso2 api microgateway
- version/wso2 api microgateway/2.2.0
- canonical/wso2 data analytics server
- version/wso2 data analytics server/3.2.0
- canonical/wso2 enterprise integrator
- version/wso2 enterprise integrator/6.6.0
- canonical/wso2 identity server
- version/wso2 identity server/5.5.0
- version/wso2 identity server/5.8.0
- canonical/wso2 identity server analytics
- version/wso2 identity server analytics/5.5.0
- canonical/wso2 identity server as key manager
- version/wso2 identity server as key manager/5.5.0
- canonical/wso2 iot server
- version/wso2 iot server/3.3.0
- version/wso2 iot server/3.3.1