Published: 06th November 2020
CVSS Score: 7.7. (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)
WSO2 API Manager : 2.6.0 or earlier
WSO2 API Microgateway : 2.2.0
WSO2 IS as Key Manager : 5.7.0 or earlier
WSO2 Identity Server : 5.7.0 or earlier
A broken authorization vulnerability via OAuth token cache.
When there is a similar username in the primary user store and in a federated IDP, the same key for OAuth cache is generated irrespective of whether the authorized user is a federated user or not, if the Client ID and the requested scopes are the same.
As user identification is not unique when generating a cache key, primary user store user's cached data will be used for federated users or vice versa. Therefore, a malicious user in a federated IDP will be able to gain access to the secured resources of a user from primary user store.
If you are using an affected product version, it is highly recommended to migrate to the latest released version to receive security fixes.
You may also apply the relevant fixes based on the changes from the public fix: https://github.com/wso2-extensions/identity-inbound-auth-oauth/pull/1102
Note: If you are a WSO2 customer with Support Subscription, please use WSO2 Update Manager (WUM) updates in order to apply the fix.