CVE-2024-7073

Description

A server-side request forgery (SSRF) vulnerability exists in multiple WSO2 products due to improper input validation in SOAP admin services. This flaw allows unauthenticated attackers to manipulate server-side requests, enabling access to internal and external resources available through the network or filesystem. Exploitation of this vulnerability could lead to unauthorized access to sensitive data and systems, including resources within private networks, as long as they are reachable by the affected product.

CVSS breakdown

CVSS 3.1

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected products

WSO2 / WSO2 Carbon Policy Editor BE5.25.92 – 5.25.92.95
WSO2 / WSO2 Carbon Policy Editor BE5.14.97 – 5.14.97.76
WSO2 / WSO2 Carbon Policy Editor BE5.23.8 – 5.23.8.186
WSO2 / WSO2 Carbon Policy Editor BE5.18.187 – 5.18.187.268
WSO2 / WSO2 Carbon Policy Editor BE5.17.5 – 5.17.5.284
WSO2 / WSO2 Carbon Policy Editor BE7.4.3 – *
WSO2 / WSO2 Carbon Policy Editor BE7.0.78 – 7.0.78.35
WSO2 / WSO2 Carbon Policy Editor BE5.12.387 – 5.12.387.42
WSO2 / WSO2 Carbon Policy Editor BE5.12.153 – 5.12.153.59
WSO2 / WSO2 Carbon Policy Editor BE5.11.256 – 5.11.256.17
WSO2 / WSO2 Carbon Policy Editor BE5.11.148 – 5.11.148.15
WSO2 / WSO2 Carbon Policy Editor BE5.10.112 – 5.10.112.16
WSO2 / WSO2 Carbon Policy Editor BE5.10.86 – 5.10.86.5
WSO2 / WSO2 Carbon Policy Editor BE5.2.2 – 5.2.2.14
WSO2 / WSO2 Carbon Policy Editor BE5.7.5 – 5.7.5.15
WSO2 / WSO2 Identity Server5.9.0 – 5.9.0.156
WSO2 / WSO2 Identity Server0 – 5.2.0
WSO2 / WSO2 Identity Server5.2.0 – 5.2.0.32
WSO2 / WSO2 Identity Server5.3.0 – 5.3.0.32
WSO2 / WSO2 Identity Server5.4.0 – 5.4.0.31
WSO2 / WSO2 Identity Server5.4.1 – 5.4.1.36
WSO2 / WSO2 Identity Server5.5.0 – 5.5.0.49
WSO2 / WSO2 Identity Server5.6.0 – 5.6.0.57
WSO2 / WSO2 Identity Server5.7.0 – 5.7.0.123
WSO2 / WSO2 Identity Server5.8.0 – 5.8.0.105
WSO2 / WSO2 Identity Server5.10.0 – 5.10.0.318
WSO2 / WSO2 Identity Server5.11.0 – 5.11.0.364
WSO2 / WSO2 Identity Server6.0.0 – 6.0.0.208
WSO2 / WSO2 Identity Server6.1.0 – 6.1.0.187
WSO2 / WSO2 Identity Server7.0.0 – 7.0.0.59
WSO2 / WSO2 Identity Server as Key Manager5.3.0 – 5.3.0.37
WSO2 / WSO2 Identity Server as Key Manager0 – 5.3.0
WSO2 / WSO2 Identity Server as Key Manager5.10.0 – 5.10.0.312
WSO2 / WSO2 Identity Server as Key Manager5.9.0 – 5.9.0.165
WSO2 / WSO2 Identity Server as Key Manager5.7.0 – 5.7.0.122
WSO2 / WSO2 Identity Server as Key Manager5.6.0 – 5.6.0.71
WSO2 / WSO2 Identity Server as Key Manager5.5.0 – 5.5.0.50
WSO2 / WSO2 Open Banking IAM0 – 2.0.0
WSO2 / WSO2 Open Banking IAM2.0.0 – 2.0.0.363
WSO2 / WSO2 Open Banking KM1.5.0 – 1.5.0.120
WSO2 / WSO2 Open Banking KM1.4.0 – 1.4.0.130
WSO2 / WSO2 Open Banking KM1.3.0 – 1.3.0.114
WSO2 / WSO2 Open Banking KM0 – 1.3.0

References

VENDOR_ADVISORYhttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3562