Incorrect Authorization
CVE-2024-7096
Summary
A Privilege Escalation vulnerability exists in multiple WSO2 products which includes API manager versions 2.0.0 through 4.3.0, and identity server versions 5.2.0 through 7.0.0 due to a business logic flaw in SOAP admin services. A malicious actor can create a new user with elevated permissions only when all of the following conditions are met: First, SOAP admin services are accessible to the attacker. Second, the deployment includes an internally used attribute that is not part of the default WSO2 product configuration. Third, at least one custom role exists with non-default permissions. Finally, the attacker has knowledge of the custom role and the internal attribute used in the deployment. Exploiting this vulnerability allows malicious actors to assign higher privileges to self-registered users, bypassing intended access control mechanisms.
- LOW
- ADJACENT_NETWORK
- LOW
- UNCHANGED
- NONE
- NONE
- LOW
- NONE
CWE-863 - Incorrect Authorization
Authorization is a security mechanism performed by an application to grant or deny access to the requested resources by verifying the privileges of the user. When an application lacks effective authorization mechanisms, it enables unauthorized users to gain unintended privileges and illegitimate access to resources. Such a vulnerability may result in exposure of sensitive information, denial of service, arbitrary code execution, and complete system takeover.
Advisory Timeline
- Published
