Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1mNmptLTlwcjgtOWMzd84AA3zA

Multiple WSO2 products vulnerable to perform user impersonatoin using JIT provisioning

Multiple WSO2 products have been identified as vulnerable to perform user impersonatoin using JIT provisioning. In order for this vulnerability to have any impact on your deployment, following conditions must be met:

An IDP configured for federated authentication and JIT provisioning enabled with the "Prompt for username, password and consent" option.
A service provider that uses the above IDP for federated authentication and has the "Assert identity using mapped local subject identifier" flag enabled.

Attacker should have:

A fresh valid user account in the federated IDP that has not been used earlier.
Knowledge of the username of a valid user in the local IDP.

When all preconditions are met, a malicious actor could use JIT provisioning flow to perform user impersonation.

Permalink: https://github.com/advisories/GHSA-f6jm-9pr8-9c3w
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mNmptLTlwcjgtOWMzd84AA3zA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 12 months ago
Updated: 7 months ago

CVSS Score: 8.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Identifiers: GHSA-f6jm-9pr8-9c3w, CVE-2023-6837
References:

Repository: https://github.com/wso2/carbon-identity-framework
Blast Radius: 13.5

Affected Packages

maven:org.wso2.identity.apps:authentication-portal

Dependent packages: 3
Dependent repositories: 39
Downloads:
Affected Version Ranges: < 1.6.179.1
Fixed in: 1.6.179.1
All affected versions: 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.3.9, 1.3.46, 1.3.47, 1.3.48, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7, 1.4.8, 1.4.9, 1.4.10, 1.4.11, 1.4.12, 1.4.13, 1.4.14, 1.4.15, 1.4.16, 1.4.17, 1.4.18, 1.4.19, 1.4.20, 1.4.21, 1.4.22, 1.4.23, 1.4.24, 1.4.25, 1.4.26, 1.4.27, 1.4.28, 1.4.29, 1.4.30, 1.4.32, 1.4.33, 1.4.34, 1.4.35, 1.4.36, 1.4.37, 1.4.38, 1.4.39, 1.4.40, 1.4.41, 1.4.42, 1.4.43, 1.4.44, 1.4.45, 1.4.46, 1.4.47, 1.4.48, 1.4.49, 1.4.50, 1.4.51, 1.4.52, 1.4.53, 1.4.54, 1.4.55, 1.4.56, 1.4.57, 1.4.58, 1.4.59, 1.4.60, 1.4.61, 1.4.62, 1.4.63, 1.4.64, 1.4.65, 1.4.66, 1.4.67, 1.4.68, 1.4.69, 1.4.70, 1.4.71, 1.4.72, 1.4.73, 1.4.74, 1.4.75, 1.4.76, 1.4.77, 1.4.78, 1.4.79, 1.4.80, 1.4.81, 1.4.82, 1.4.83, 1.4.84, 1.4.85, 1.4.86, 1.4.87, 1.4.88, 1.4.89, 1.4.90, 1.4.91, 1.4.92, 1.4.93, 1.4.94, 1.4.95, 1.4.96, 1.4.97, 1.4.98, 1.4.99, 1.4.100, 1.4.101, 1.4.102, 1.4.103, 1.4.104, 1.4.105, 1.4.106, 1.4.107, 1.4.108, 1.4.109, 1.4.110, 1.4.111, 1.4.112, 1.4.113, 1.4.114, 1.4.115, 1.4.116, 1.4.117, 1.4.118, 1.4.119, 1.4.120, 1.4.121, 1.4.122, 1.4.123, 1.4.124, 1.5.0, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.6.8, 1.6.9, 1.6.10, 1.6.11, 1.6.12, 1.6.13, 1.6.14, 1.6.15, 1.6.16
All unaffected versions: 1.6.17, 1.6.18, 1.6.19, 1.6.20, 1.6.21, 1.6.22, 1.6.23, 1.6.24, 1.6.25, 1.6.26, 1.6.27, 1.6.28, 1.6.29, 1.6.30, 1.6.31, 1.6.32, 1.6.33, 1.6.34, 1.6.35, 1.6.36, 1.6.37, 1.6.38, 1.6.39, 1.6.40, 1.6.41, 1.6.42, 1.6.43, 1.6.44, 1.6.45, 1.6.46, 1.6.47, 1.6.48, 1.6.49, 1.6.50, 1.6.51, 1.6.52, 1.6.53, 1.6.54, 1.6.55, 1.6.56, 1.6.57, 1.6.58, 1.6.59, 1.6.60, 1.6.61, 1.6.62, 1.6.63, 1.6.64, 1.6.65, 1.6.66, 1.6.67, 1.6.68, 1.6.69, 1.6.70, 1.6.71, 1.6.72, 1.6.73, 1.6.74, 1.6.75, 1.6.76, 1.6.77, 1.6.78, 1.6.79, 1.6.80, 1.6.81, 1.6.82, 1.6.83, 1.6.84, 1.6.85, 1.6.86, 1.6.87, 1.6.88, 1.6.89, 1.6.90, 1.6.91, 1.6.92, 1.6.93, 1.6.94, 1.6.95, 1.6.96, 1.6.97, 1.6.98, 1.6.99, 1.6.100, 1.6.101, 1.6.102, 1.6.103, 1.6.104, 1.6.105, 1.6.106, 1.6.107, 1.6.108, 1.6.109, 1.6.110, 1.6.111, 1.6.112, 1.6.113, 1.6.114, 1.6.115, 1.6.116, 1.6.117, 1.6.118, 1.6.119, 1.6.120, 1.6.121, 1.6.122, 1.6.123, 1.6.124, 1.6.125, 1.6.126, 1.6.127, 1.6.128, 1.6.129, 1.6.130, 1.6.131, 1.6.132, 1.6.133, 1.6.134, 1.6.155, 1.6.156, 1.6.157, 1.6.158, 1.6.159, 1.6.160, 1.6.161, 1.6.162, 1.6.163, 1.6.164, 1.6.165, 1.6.166, 1.6.167, 1.6.168, 1.6.169, 1.6.170, 1.6.171, 1.6.172, 1.6.173, 1.6.174, 1.6.175, 1.6.176, 1.6.177, 1.6.178, 1.6.179, 1.6.180, 1.6.181, 1.6.182, 1.6.183, 1.6.184, 1.6.185, 1.6.186, 1.6.187, 1.6.188, 1.6.189, 1.6.190, 1.6.191, 1.6.192, 1.6.193, 1.6.194, 1.6.195, 1.6.196, 1.6.197, 1.6.198, 1.6.199, 1.6.200, 1.6.201, 1.6.202, 1.6.203, 1.6.204, 1.6.205, 1.6.206, 1.6.207, 1.6.208, 1.6.209, 1.6.210, 1.6.211, 1.6.212, 1.6.214, 1.6.215, 1.6.216, 1.6.217, 1.6.218, 1.6.219, 1.6.220, 1.6.221, 1.6.222, 1.6.223, 1.6.224, 1.6.225, 1.6.226, 1.6.227, 1.6.228, 1.6.229, 1.6.230, 1.6.238, 1.6.239, 1.6.240, 1.6.241, 1.6.242, 1.6.244, 1.6.245, 1.6.246, 1.6.247, 1.6.248, 1.6.249, 1.6.250, 1.6.251, 1.6.252, 1.6.253, 1.6.254, 1.6.255, 1.6.256, 1.6.257, 1.6.258, 1.6.259, 1.6.260, 1.6.261, 1.6.262, 1.6.263, 1.6.264, 1.6.265, 1.6.266, 1.6.267, 1.6.268, 1.6.269, 1.6.270, 1.6.271, 1.6.272, 1.6.273, 1.6.274, 1.6.275, 1.6.276, 1.6.277, 1.6.278, 1.6.279, 1.6.280, 1.6.281, 1.6.282, 1.6.283, 1.6.284, 1.6.285, 1.6.286, 1.6.287, 1.6.288, 1.6.289, 1.6.290, 1.6.291, 1.6.292, 1.6.293, 1.6.294, 1.6.295, 1.6.296, 1.6.297, 1.6.298, 1.6.299, 1.6.300, 1.6.301, 1.6.302, 1.6.303, 2.1.12, 2.1.13, 2.1.14, 2.1.15, 2.1.16, 2.1.17, 2.1.18, 2.1.33, 2.1.44, 2.1.45, 2.1.46, 2.1.53, 2.1.54, 2.1.55, 2.1.56, 2.1.57, 2.1.58, 2.1.59, 2.1.60, 2.1.61, 2.1.62, 2.1.63, 2.1.64, 2.1.65, 2.1.66, 2.1.67, 2.1.68, 2.1.69, 2.1.71, 2.1.72, 2.1.73, 2.1.74, 2.1.75, 2.1.76, 2.1.77, 2.2.0, 2.2.1, 2.2.2, 2.3.6, 2.3.7, 2.4.29, 2.4.30, 2.4.31, 2.4.32, 2.4.33, 2.4.34, 2.4.35, 2.4.36, 2.4.37, 2.4.38, 2.4.39, 2.4.40, 2.4.41, 2.4.42, 2.4.43

maven:org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.authentication.framework

Affected Version Ranges: < 5.20.254
Fixed in: 5.20.254