Published: 11th January 2021
Version: 1.0.0
Severity: High
CVSS Score: 7.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)
AFFECTED PRODUCTS
WSO2 API Manager : 2.2.0 , 2.5.0 , 2.6.0 , 3.0.0 , 3.1.0 , 3.2.0
WSO2 API Microgateway : 2.2.0
WSO2 IS as Key Manager : 5.5.0 , 5.6.0 , 5.7.0 , 5.9.0 , 5.10.0
WSO2 Identity Server : 5.4.0 , 5.4.1 , 5.5.0 , 5.6.0 , 5.7.0 , 5.8.0 , 5.9.0 , 5.10.0
OVERVIEW
Improper validation of the parameters submitted during multi-option login.
DESCRIPTION
Identify Provider (IDP) name parameter submitted during multi-option login operations was not properly validated, which could lead to authenticating using an unintended identity-provider to an application.
IMPACT
This vulnerability has an impact only if; the system uses multi-option login, multiple identity-providers of the same type of federated authenticator (eg: SAML federated authenticator) are used, and at least one of those identity-providers are not associated with the application. In addition, the malicious external party should know an identity-provider name used in a different application, and knows a valid user-account at the desired identity-provider. If said pre-conditions are met, a malicious external party could force an unintended, yet same type authenticator, to be used during the multi-option login operation. This could lead to confidentiality, integrity and availability impact to the application, depending on the functionalities made available to the authenticated users.
SOLUTION
If you are using an affected product version, it is highly recommended to migrate to the latest released version to receive security fixes.
You may also apply the relevant fixes based on the changes from the public fix: https://github.com/wso2/carbon-identity-framework/pull/2948
Note: If you are a WSO2 customer with Support Subscription, please use WSO2 Update Manager (WUM) updates in order to apply the fix.
Overview
Content Tools
Activity