23 June 2023 [NO.TCSA : 20230623-1-1-P]
WSO2, a leading provider of open-source API management and identity and access management (IAM) solutions, has issued four security advisories, WSO2-2022-2177, WSO2-2022-2182, WSO2-2022-2023, and WSO2-2022-2101. These advisories detail a series of vulnerabilities affecting WSO2 API Manager, Identity Server, and other related products.
The most severe among these is outlined in WSO2-2022-2177. Rated as a critical vulnerability with a CVSS score of 9.4, it involves a broken access control vulnerability affecting API endpoints associated with notification-based password recovery. If exploited, a malicious authenticated actor could impersonate and authenticate as a different targeted user, including administrators, assuming they have knowledge of the administrator’s username.
The second advisory, WSO2-2022-2182, has been given a high severity rating, with a CVSS score of 8.3. This highlights an SQL Injection vulnerability in the OAuth2 endpoint. To exploit this vulnerability, a malicious actor would need to be authenticated already.
WSO2-2022-2023 reveals a medium-severity issue (CVSS score: 5.4) related to access tokens. Specifically, it has been found that access tokens are not completely revoked from disabled or locked users when these users have authorization to access multiple client applications.
Lastly, the advisory WSO2-2022-2101 flags a low-severity vulnerability (CVSS score: 2.3) where identity claim data are retrieved from the user store if the identity data store does not have a value for the claim. This occurs when the JDBCIdentityDataStore is configured as the Identity data store.
WSO2-2022-2177 – Broken Access Control Vulnerability
WSO2-2022-2182 – SQL Injection Vulnerability
WSO2-2022-2023 – Access Tokens Revoke Vulnerability
WSO2-2022-2101 – Identity Data Store Value Vulnerability
Note: WSO2 releases security patches for all product versions listed in the WSO2 Support Matrix, encompassing both available and deprecated statuses. Be aware that these vulnerabilities may potentially affect older product versions that are now in extended or discontinued statuses.
WSO2 has issued security updates as outlined in the advisories. TechCERT strongly recommends that all administrators of affected systems carefully review these advisories and promptly apply the necessary updates.