Published: 11th January 2021
CVSS Score: 7.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N)
WSO2 API Manager : 2.2.0 , 2.5.0 , 2.6.0 , 3.0.0 , 3.1.0 , 3.2.0
WSO2 API Microgateway : 2.2.0
WSO2 IS as Key Manager : 5.5.0 , 5.6.0 , 5.7.0 , 5.9.0 , 5.10.0
WSO2 Identity Server : 5.4.0 , 5.4.1 , 5.5.0 , 5.6.0 , 5.7.0 , 5.8.0 , 5.9.0 , 5.10.0
Improper validation of token authenticity by OAuth introspection endpoint.
A self-contained access token (which is a JWT) includes a payload, and a signature to ensure the integrity of the token. When the relying party provides the token to the Resource Server, the Resource Server is expected to validate the signature. However, if the Resource Server relies on the Authorization Server's (eg: WSO2 Identity Server) token introspection endpoint for that purpose, the signature of the self-contained access token does not get properly validated.
This vulnerability has an impact only if the Authorization Server's OAuth introspection endpoint is used to validate self-contained access tokens by the Resource Server. If the Resource Server is using the content of the token to make authorization decisions, a malicious user might be able to manipulate the content and gain access to unauthorized resources, which may impact confidentiality, integrity and availability of those resources. There is no impact if: self-contained access tokens are not used, if the self-contained access token validation is done by the Resource Server itself, or if the content of the token is not used to make authorization decisions by the Resource Server.
If you are using an affected product version, it is highly recommended to migrate to the latest released version to receive security fixes.
You may also apply the relevant fixes based on the changes from the public fix: https://github.com/wso2-extensions/identity-inbound-auth-oauth/commit/7d71db7ccd9a215eee8419c5db16b71451dcc182
Note: If you are a WSO2 customer with Support Subscription, please use WSO2 Update Manager (WUM) updates in order to apply the fix.