Skip to end of metadata
Go to start of metadata

Published: 3rd September 2018

Severity: Critical

CVSS Score: 9.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N)


WSO2 Identity Server : 5.4.0 , 5.4.1 , 5.5.0 , 5.6.0

WSO2 Identity Server as Key Manager : 5.5.0 , 5.6.0

WSO2 Identity Server : 5.3.0 - Only if "SCIM 2.0 Inbound Provisioning Connector" is installed.

WSO2 Identity Server as Key Manager : 5.3.0 - Only if "SCIM 2.0 Inbound Provisioning Connector" is installed


An authentication and authorization bypass vulnerability has been detected in SCIM 2.0 API.


If the /scim2 endpoint of WSO2 Identity Server is exposed to public, an attacker would be able to bypass the authentication and authorization of SCIM 2.0 API and execute the operations in the API.


By exploiting the vulnerability, an attacker would be able to get a user account created with higher level of permissions bound to it and perform the actions in the system that the particular user account is permitted to.


The recommended solution is to modify the following configuration under the <ResourceAccessControl> element in IS_HOME/repository/conf/identity/identity.xml file and restart the server. Find the existing configuration and replace each entry with the new configuration.

Existing ConfigurationNew Configuration

<Resource context="(.*)/api/identity/user/v1.0/validate-code" secured="true" http-method="all"/>

<Resource context="(.*)/api/identity/user/v1.0/validate-code(.*)" secured="true" http-method="all"/>

<Resource context="(.*)/api/identity/user/v1.0/resend-code" secured="true" http-method="all"/>

<Resource context="(.*)/api/identity/user/v1.0/resend-code(.*)" secured="true" http-method="all"/>

<Resource context="(.*)/api/identity/user/v1.0/me" secured="true" http-method="POST"/><Resource context="(.*)/api/identity/user/v1.0/me(.*)" secured="true" http-method="POST"/>
<Resource context="(.*)/api/identity/user/v1.0/me" secured="true" http-method="GET"/><Resource context="(.*)/api/identity/user/v1.0/me(.*)" secured="true" http-method="b"/>

<Resource context="(.*)/scim2/Users" secured="true" http-method="POST">

<Resource context="(.*)/scim2/Users(.*)" secured="true" http-method="POST">

<Resource context="(.*)/scim2/Groups" secured="true" http-method="POST">

<Resource context="(.*)/scim2/Groups(.*)" secured="true" http-method="POST">

<Resource context="/scim2/Bulk" secured="true" http-method="all">

<Resource context="/scim2/Bulk(.*)" secured="true" http-method="all">

<Resource context="(.*)/api/identity/consent-mgt/v1.0/consents/pii-categories" secured=" true" http-method="POST">

<Resource context="(.*)/api/identity/consent-mgt/v1.0/consents/pii-categories(.*)" secured=" true" http-method="POST">

<Resource context="(.*)/api/identity/consent-mgt/v1.0/consents/purposes" secured="true" http-method="POST"><Resource context="(.*)/api/identity/consent-mgt/v1.0/consents/purposes(.*)" secured="true" http-method="POST">
<Resource context="(.*)/api/identity/consent-mgt/v1.0/consents/purpose-categories" secured="true" http-method="POST"><Resource context="(.*)/api/identity/consent-mgt/v1.0/consents/purpose-categories(.*)" secured="true" http-method="POST">


If you are using any version of the Idetity Server that is not listed in the "Affected Products" section, then this vulnerability is not applicable.  If you have any questions, post them to [email protected].

  • No labels