||
Skip to end of metadata
Go to start of metadata

Published: 06th November 2020

Version: 1.0.0

Severity: High

CVSS Score:  7.7. (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N) 


AFFECTED PRODUCTS

WSO2 API Manager : 2.6.0 or earlier
WSO2 API Microgateway : 2.2.0
WSO2 IS as Key Manager : 5.7.0 or earlier 
WSO2 Identity Server : 5.7.0 or earlier


OVERVIEW

A broken authorization vulnerability via OAuth token cache.


DESCRIPTION

When there is a similar username in the primary user store and in a federated IDP, the same key for OAuth cache is generated irrespective of whether the authorized user is a federated user or not, if the Client ID and the requested scopes are the same.


IMPACT

As user identification is not unique when generating a cache key, primary user store user's cached data will be used for federated users or vice versa. Therefore, a malicious user in a federated IDP will be able to gain access to the secured resources of a user from primary user store.


SOLUTION

If you are using an affected product version, it is highly recommended to migrate to the latest released version to receive security fixes.

You may also apply the relevant fixes based on the changes from the public fix: https://github.com/wso2-extensions/identity-inbound-auth-oauth/pull/1102

Note: If you are a WSO2 customer with Support Subscription, please use WSO2 Update Manager (WUM) updates in order to apply the fix.


  • No labels