CVE-2024-6914

Description

An incorrect authorization vulnerability exists in multiple WSO2 products due to a business logic flaw in the account recovery-related SOAP admin service. A malicious actor can exploit this vulnerability to reset the password of any user account, leading to a complete account takeover, including accounts with elevated privileges. This vulnerability is exploitable only through the account recovery SOAP admin services exposed via the "/services" context path in affected products. The impact may be reduced if access to these endpoints has been restricted based on the "Security Guidelines for Production Deployment" by disabling exposure to untrusted networks.

CVSS breakdown

CVSS 3.1

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected products

WSO2 / WSO2 API Manager0 – 2.2.0
WSO2 / WSO2 API Manager2.2.0 – 2.2.0.55
WSO2 / WSO2 API Manager2.5.0 – 2.5.0.82
WSO2 / WSO2 API Manager2.6.0 – 2.6.0.141
WSO2 / WSO2 API Manager3.0.0 – 3.0.0.161
WSO2 / WSO2 API Manager3.1.0 – 3.1.0.292
WSO2 / WSO2 API Manager3.2.0 – 3.2.0.382
WSO2 / WSO2 API Manager3.2.1 – 3.2.1.14
WSO2 / WSO2 API Manager4.0.0 – 4.0.0.304
WSO2 / WSO2 API Manager4.1.0 – 4.1.0.164
WSO2 / WSO2 API Manager4.2.0 – 4.2.0.99
WSO2 / WSO2 API Manager4.3.0 – 4.3.0.15
WSO2 / WSO2 Carbon Identity Management7.3.44 – *
WSO2 / WSO2 Carbon Identity Management5.7.5 – 5.7.5.9
WSO2 / WSO2 Carbon Identity Management5.10.86 – 5.10.86.4
WSO2 / WSO2 Carbon Identity Management5.10.112 – 5.10.112.14
WSO2 / WSO2 Carbon Identity Management5.11.148 – 5.11.148.13
WSO2 / WSO2 Carbon Identity Management5.11.256 – 5.11.256.15
WSO2 / WSO2 Carbon Identity Management5.12.153 – 5.12.153.58
WSO2 / WSO2 Carbon Identity Management5.12.387 – 5.12.387.41
WSO2 / WSO2 Carbon Identity Management5.14.97 – 5.14.97.75
WSO2 / WSO2 Carbon Identity Management5.17.5 – 5.17.5.282
WSO2 / WSO2 Carbon Identity Management5.17.118 – 5.17.118.4
WSO2 / WSO2 Carbon Identity Management5.18.187 – 5.18.187.265
WSO2 / WSO2 Carbon Identity Management5.18.248 – 5.18.248.14
WSO2 / WSO2 Carbon Identity Management5.23.8 – 5.23.8.184
WSO2 / WSO2 Carbon Identity Management5.24.8 – 5.24.8.6
WSO2 / WSO2 Carbon Identity Management5.25.92 – 5.25.92.92
WSO2 / WSO2 Carbon Identity Management5.25.705 – 5.25.705.6
WSO2 / WSO2 Carbon Identity Management7.0.78 – 7.0.78.32
WSO2 / WSO2 Governance Registry5.4.0 – 5.4.0.14
WSO2 / WSO2 Identity Server0 – 5.3.0
WSO2 / WSO2 Identity Server5.3.0 – 5.3.0.31
WSO2 / WSO2 Identity Server7.0.0 – 7.0.0.56
WSO2 / WSO2 Identity Server6.1.0 – 6.1.0.184
WSO2 / WSO2 Identity Server6.0.0 – 6.0.0.207
WSO2 / WSO2 Identity Server5.11.0 – 5.11.0.363
WSO2 / WSO2 Identity Server5.10.0 – 5.10.0.317
WSO2 / WSO2 Identity Server5.9.0 – 5.9.0.155
WSO2 / WSO2 Identity Server5.8.0 – 5.8.0.104
WSO2 / WSO2 Identity Server5.7.0 – 5.7.0.122
WSO2 / WSO2 Identity Server5.6.0 – 5.6.0.56
WSO2 / WSO2 Identity Server5.5.0 – 5.5.0.48
WSO2 / WSO2 Identity Server5.4.0 – 5.4.0.30
WSO2 / WSO2 Identity Server5.4.1 – 5.4.1.35
WSO2 / WSO2 Identity Server as Key Manager5.5.0 – 5.5.0.49
WSO2 / WSO2 Identity Server as Key Manager5.7.0 – 5.7.0.121
WSO2 / WSO2 Identity Server as Key Manager5.9.0 – 5.9.0.162
WSO2 / WSO2 Identity Server as Key Manager5.10.0 – 5.10.0.311
WSO2 / WSO2 Identity Server as Key Manager0 – 5.3.0
WSO2 / WSO2 Identity Server as Key Manager5.3.0 – 5.3.0.36
WSO2 / WSO2 Identity Server as Key Manager5.6.0 – 5.6.0.70
WSO2 / WSO2 IoT3.3.0 – 3.3.0.59
WSO2 / WSO2 IoT3.3.1 – 3.3.1.61
WSO2 / WSO2 Open Banking AM2.0.0 – 2.0.0.341
WSO2 / WSO2 Open Banking AM1.5.0 – 1.5.0.135
WSO2 / WSO2 Open Banking AM1.4.0 – 1.4.0.133
WSO2 / WSO2 Open Banking AM1.3.0 – 1.3.0.130
WSO2 / WSO2 Open Banking AM0 – 1.3.0
WSO2 / WSO2 Open Banking IAM2.0.0 – 2.0.0.362
WSO2 / WSO2 Open Banking KM1.4.0 – 1.4.0.129
WSO2 / WSO2 Open Banking KM0 – 1.3.0
WSO2 / WSO2 Open Banking KM1.5.0 – 1.5.0.119
WSO2 / WSO2 Open Banking KM1.3.0 – 1.3.0.113

CVE-2024-6914

Description

CVSS breakdown

Affected products

References