Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Current »

Published: 11th January 2021

Version: 1.0.0

Severity: High

CVSS Score: 7.7 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N)


AFFECTED PRODUCTS

WSO2 API Manager : 2.2.0 , 2.5.0 , 2.6.0 , 3.0.0 , 3.1.0 , 3.2.0
WSO2 API Microgateway : 2.2.0
WSO2 IS as Key Manager : 5.5.0 , 5.6.0 , 5.7.0 , 5.9.0 , 5.10.0
WSO2 Identity Server : 5.4.0 , 5.4.1 , 5.5.0 , 5.6.0 , 5.7.0 , 5.8.0 , 5.9.0 , 5.10.0


OVERVIEW

Improper validation of token authenticity by OAuth introspection endpoint.


DESCRIPTION

A self-contained access token (which is a JWT) includes a payload, and a signature to ensure the integrity of the token. When the relying party provides the token to the Resource Server, the Resource Server is expected to validate the signature. However, if the Resource Server relies on the Authorization Server's (eg: WSO2 Identity Server) token introspection endpoint for that purpose, the signature of the self-contained access token does not get properly validated.


IMPACT

This vulnerability has an impact only if the Authorization Server's OAuth introspection endpoint is used to validate self-contained access tokens by the Resource Server. If the Resource Server is using the content of the token to make authorization decisions, a malicious user might be able to manipulate the content and gain access to unauthorized resources, which may impact confidentiality, integrity and availability of those resources. There is no impact if: self-contained access tokens are not used, if the self-contained access token validation is done by the Resource Server itself, or if the content of the token is not used to make authorization decisions by the Resource Server.


SOLUTION

If you are using an affected product version, it is highly recommended to migrate to the latest released version to receive security fixes.

You may also apply the relevant fixes based on the changes from the public fix: https://github.com/wso2-extensions/identity-inbound-auth-oauth/pull/1380, https://github.com/wso2/carbon-identity-framework/pull/2937

Note: If you are a WSO2 customer with Support Subscription, please use WSO2 Update Manager (WUM) updates in order to apply the fix.


  • No labels