high
8.5
EPSS
0.050%
Advisory Published
Advisory Published
Updated

CVE-2023-6837

First published: Fri Dec 15 2023(Updated: )

Multiple WSO2 products have been identified as vulnerable to perform user impersonatoin using JIT provisioning. In order for this vulnerability to have any impact on your deployment, following conditions must be met: * An IDP configured for federated authentication and JIT provisioning enabled with the "Prompt for username, password and consent" option. * A service provider that uses the above IDP for federated authentication and has the "Assert identity using mapped local subject identifier" flag enabled. Attacker should have: * A fresh valid user account in the federated IDP that has not been used earlier. * Knowledge of the username of a valid user in the local IDP. When all preconditions are met, a malicious actor could use JIT provisioning flow to perform user impersonation.

Credit: ed10eef1-636d-4fbe-9993-6890dfa878f8 ed10eef1-636d-4fbe-9993-6890dfa878f8

Affected SoftwareAffected VersionHow to fix
maven/org.wso2.identity.apps:authentication-portal<1.6.179.1
1.6.179.1
maven/org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.authentication.framework<5.20.254
5.20.254
WSO2 API Manager>=2.5.0<2.5.0.32
WSO2 API Manager>=2.6.0<2.6.0.52
WSO2 API Manager>=3.0.0<3.0.0.50
WSO2 API Manager>=3.1.0<3.1.0.72
WSO2 API Manager>=3.2.0<3.2.0.86
WSO2 API Manager>=4.0.0<4.0.0.35
WSO2 Identity Server>=5.6.0<5.6.0.16
WSO2 Identity Server>=5.7.0<5.7.0.35
WSO2 Identity Server>=5.8.0<5.8.0.26
WSO2 Identity Server>=5.9.0<5.9.0.38
WSO2 Identity Server>=5.10.0<5.10.0.78
WSO2 Identity Server>=5.11.0<5.11.0.69
WSO2 Identity Server as Key Manager>=5.6.0<5.6.0.17
WSO2 Identity Server as Key Manager>=5.7.0<5.7.0.39
WSO2 Identity Server as Key Manager>=5.9.0<5.9.0.45
WSO2 Identity Server as Key Manager>=5.10.0<5.10.0.80
Wso2 Carbon Identity Application Authentication Endpoint<5.11.256.3
Wso2 Carbon Identity Application Authentication Endpoint>=5.11.257.0<5.12.153.19
Wso2 Carbon Identity Application Authentication Endpoint>=5.12.154.0<5.20.254
Wso2 Carbon Identity Application Authentication Framework<5.11.256.3
Wso2 Carbon Identity Application Authentication Framework>=5.11.257.0<5.12.153.21
Wso2 Carbon Identity Application Authentication Framework>=5.12.154.0<5.12.387.7
Wso2 Carbon Identity Application Authentication Framework>=5.12.388.0<5.14.97.22
Wso2 Carbon Identity Application Authentication Framework>=5.14.98.0<5.17.5.106
Wso2 Carbon Identity Application Authentication Framework>=5.17.6.0<5.18.187.76
Wso2 Carbon Identity Application Authentication Framework>=5.18.188.0<5.20.254

Remedy

For WSO2 Subscription holders, the recommended solution is to apply the provided patch/update to the affected versions of the products. If there are any instructions given with the patch/update, please make sure those are followed properly. Community users may apply the relevant fixes to the product based on the public fix(s) advertised in  https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1... https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1573/

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203