Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1mNmptLTlwcjgtOWMzd84AA3zA
Multiple WSO2 products vulnerable to perform user impersonatoin using JIT provisioning
Multiple WSO2 products have been identified as vulnerable to perform user impersonatoin using JIT provisioning. In order for this vulnerability to have any impact on your deployment, following conditions must be met:
- An IDP configured for federated authentication and JIT provisioning enabled with the "Prompt for username, password and consent" option.
- A service provider that uses the above IDP for federated authentication and has the "Assert identity using mapped local subject identifier" flag enabled.
Attacker should have:
- A fresh valid user account in the federated IDP that has not been used earlier.
- Knowledge of the username of a valid user in the local IDP.
When all preconditions are met, a malicious actor could use JIT provisioning flow to perform user impersonation.
Permalink: https://github.com/advisories/GHSA-f6jm-9pr8-9c3wJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mNmptLTlwcjgtOWMzd84AA3zA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 9 months ago
Updated: 4 months ago
CVSS Score: 8.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Identifiers: GHSA-f6jm-9pr8-9c3w, CVE-2023-6837
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-6837
- https://github.com/wso2/carbon-identity-framework/commit/fdab609760784086b8a3f55f7acf46d977a03d79
- https://github.com/wso2/identity-apps/commit/1424203bbe81688d661ea8b8cd28e332302e1c53
- https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1573
- https://github.com/advisories/GHSA-f6jm-9pr8-9c3w
Blast Radius: 13.5
Affected Packages
maven:org.wso2.identity.apps:authentication-portal
Dependent packages: 3Dependent repositories: 39
Downloads:
Affected Version Ranges: < 1.6.179.1
Fixed in: 1.6.179.1
All affected versions: 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.3.9, 1.3.46, 1.3.47, 1.3.48, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7, 1.4.8, 1.4.9, 1.4.10, 1.4.11, 1.4.12, 1.4.13, 1.4.14, 1.4.15, 1.4.16, 1.4.17, 1.4.18, 1.4.19, 1.4.20, 1.4.21, 1.4.22, 1.4.23, 1.4.24, 1.4.25, 1.4.26, 1.4.27, 1.4.28, 1.4.29, 1.4.30, 1.4.32, 1.4.33, 1.4.34, 1.4.35, 1.4.36, 1.4.37, 1.4.38, 1.4.39, 1.4.40, 1.4.41, 1.4.42, 1.4.43, 1.4.44, 1.4.45, 1.4.46, 1.4.47, 1.4.48, 1.4.49, 1.4.50, 1.4.51, 1.4.52, 1.4.53, 1.4.54, 1.4.55, 1.4.56, 1.4.57, 1.4.58, 1.4.59, 1.4.60, 1.4.61, 1.4.62, 1.4.63, 1.4.64, 1.4.65, 1.4.66, 1.4.67, 1.4.68, 1.4.69, 1.4.70, 1.4.71, 1.4.72, 1.4.73, 1.4.74, 1.4.75, 1.4.76, 1.4.77, 1.4.78, 1.4.79, 1.4.80, 1.4.81, 1.4.82, 1.4.83, 1.4.84, 1.4.85, 1.4.86, 1.4.87, 1.4.88, 1.4.89, 1.4.90, 1.4.91, 1.4.92, 1.4.93, 1.4.94, 1.4.95, 1.4.96, 1.4.97, 1.4.98, 1.4.99, 1.4.100, 1.4.101, 1.4.102, 1.4.103, 1.4.104, 1.4.105, 1.4.106, 1.4.107, 1.4.108, 1.4.109, 1.4.110, 1.4.111, 1.4.112, 1.4.113, 1.4.114, 1.4.115, 1.4.116, 1.4.117, 1.4.118, 1.4.119, 1.4.120, 1.4.121, 1.4.122, 1.4.123, 1.4.124, 1.5.0, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.6.8, 1.6.9, 1.6.10, 1.6.11, 1.6.12, 1.6.13, 1.6.14, 1.6.15, 1.6.16
All unaffected versions: 1.6.17, 1.6.18, 1.6.19, 1.6.20, 1.6.21, 1.6.22, 1.6.23, 1.6.24, 1.6.25, 1.6.26, 1.6.27, 1.6.28, 1.6.29, 1.6.30, 1.6.31, 1.6.32, 1.6.33, 1.6.34, 1.6.35, 1.6.36, 1.6.37, 1.6.38, 1.6.39, 1.6.40, 1.6.41, 1.6.42, 1.6.43, 1.6.44, 1.6.45, 1.6.46, 1.6.47, 1.6.48, 1.6.49, 1.6.50, 1.6.51, 1.6.52, 1.6.53, 1.6.54, 1.6.55, 1.6.56, 1.6.57, 1.6.58, 1.6.59, 1.6.60, 1.6.61, 1.6.62, 1.6.63, 1.6.64, 1.6.65, 1.6.66, 1.6.67, 1.6.68, 1.6.69, 1.6.70, 1.6.71, 1.6.72, 1.6.73, 1.6.74, 1.6.75, 1.6.76, 1.6.77, 1.6.78, 1.6.79, 1.6.80, 1.6.81, 1.6.82, 1.6.83, 1.6.84, 1.6.85, 1.6.86, 1.6.87, 1.6.88, 1.6.89, 1.6.90, 1.6.91, 1.6.92, 1.6.93, 1.6.94, 1.6.95, 1.6.96, 1.6.97, 1.6.98, 1.6.99, 1.6.100, 1.6.101, 1.6.102, 1.6.103, 1.6.104, 1.6.105, 1.6.106, 1.6.107, 1.6.108, 1.6.109, 1.6.110, 1.6.111, 1.6.112, 1.6.113, 1.6.114, 1.6.115, 1.6.116, 1.6.117, 1.6.118, 1.6.119, 1.6.120, 1.6.121, 1.6.122, 1.6.123, 1.6.124, 1.6.125, 1.6.126, 1.6.127, 1.6.128, 1.6.129, 1.6.130, 1.6.131, 1.6.132, 1.6.133, 1.6.134, 1.6.155, 1.6.156, 1.6.157, 1.6.158, 1.6.159, 1.6.160, 1.6.161, 1.6.162, 1.6.163, 1.6.164, 1.6.165, 1.6.166, 1.6.167, 1.6.168, 1.6.169, 1.6.170, 1.6.171, 1.6.172, 1.6.173, 1.6.174, 1.6.175, 1.6.176, 1.6.177, 1.6.178, 1.6.179, 1.6.180, 1.6.181, 1.6.182, 1.6.183, 1.6.184, 1.6.185, 1.6.186, 1.6.187, 1.6.188, 1.6.189, 1.6.190, 1.6.191, 1.6.192, 1.6.193, 1.6.194, 1.6.195, 1.6.196, 1.6.197, 1.6.198, 1.6.199, 1.6.200, 1.6.201, 1.6.202, 1.6.203, 1.6.204, 1.6.205, 1.6.206, 1.6.207, 1.6.208, 1.6.209, 1.6.210, 1.6.211, 1.6.212, 1.6.214, 1.6.215, 1.6.216, 1.6.217, 1.6.218, 1.6.219, 1.6.220, 1.6.221, 1.6.222, 1.6.223, 1.6.224, 1.6.225, 1.6.226, 1.6.227, 1.6.228, 1.6.229, 1.6.230, 1.6.238, 1.6.239, 1.6.240, 1.6.241, 1.6.242, 1.6.244, 1.6.245, 1.6.246, 1.6.247, 1.6.248, 1.6.249, 1.6.250, 1.6.251, 1.6.252, 1.6.253, 1.6.254, 1.6.255, 1.6.256, 1.6.257, 1.6.258, 1.6.259, 1.6.260, 1.6.261, 1.6.262, 1.6.263, 1.6.264, 1.6.265, 1.6.266, 1.6.267, 1.6.268, 1.6.269, 1.6.270, 1.6.271, 1.6.272, 1.6.273, 1.6.274, 1.6.275, 1.6.276, 1.6.277, 1.6.278, 1.6.279, 1.6.280, 1.6.281, 1.6.282, 1.6.283, 1.6.284, 1.6.285, 1.6.286, 1.6.287, 1.6.288, 1.6.289, 1.6.290, 1.6.291, 1.6.292, 1.6.293, 1.6.294, 1.6.295, 1.6.296, 1.6.297, 1.6.298, 1.6.299, 1.6.300, 1.6.301, 1.6.302, 1.6.303, 2.1.12, 2.1.13, 2.1.14, 2.1.15, 2.1.16, 2.1.17, 2.1.18, 2.1.33, 2.1.44, 2.1.45, 2.1.46, 2.1.53, 2.1.54, 2.1.55, 2.1.56, 2.1.57, 2.1.58, 2.1.59, 2.1.60, 2.1.61, 2.1.62, 2.1.63, 2.1.64, 2.1.65, 2.1.66, 2.1.67, 2.1.68, 2.1.69, 2.1.71, 2.1.72, 2.1.73, 2.1.74, 2.1.75, 2.1.76, 2.1.77, 2.2.0, 2.2.1, 2.2.2, 2.3.6, 2.3.7, 2.4.29, 2.4.30, 2.4.31, 2.4.32, 2.4.33, 2.4.34, 2.4.35, 2.4.36
maven:org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.authentication.framework
Affected Version Ranges: < 5.20.254Fixed in: 5.20.254