Published: 11th January 2021
CVSS Score: 7.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)
WSO2 API Manager : 2.2.0 , 2.5.0 , 2.6.0 , 3.0.0 , 3.1.0 , 3.2.0
WSO2 API Microgateway : 2.2.0
WSO2 IS as Key Manager : 5.5.0 , 5.6.0 , 5.7.0 , 5.9.0 , 5.10.0
WSO2 Identity Server : 5.4.0 , 5.4.1 , 5.5.0 , 5.6.0 , 5.7.0 , 5.8.0 , 5.9.0 , 5.10.0
Improper validation of the parameters submitted during multi-option login.
Identify Provider (IDP) name parameter submitted during multi-option login operations was not properly validated, which could lead to authenticating using an unintended identity-provider to an application.
This vulnerability has an impact only if; the system uses multi-option login, multiple identity-providers of the same type of federated authenticator (eg: SAML federated authenticator) are used, and at least one of those identity-providers are not associated with the application. In addition, the malicious external party should know an identity-provider name used in a different application, and knows a valid user-account at the desired identity-provider. If said pre-conditions are met, a malicious external party could force an unintended, yet same type authenticator, to be used during the multi-option login operation. This could lead to confidentiality, integrity and availability impact to the application, depending on the functionalities made available to the authenticated users.
If you are using an affected product version, it is highly recommended to migrate to the latest released version to receive security fixes.
You may also apply the relevant fixes based on the changes from the public fix: https://github.com/wso2/carbon-identity-framework/pull/2948
Note: If you are a WSO2 customer with Support Subscription, please use WSO2 Update Manager (WUM) updates in order to apply the fix.