Description
An incorrect authorization vulnerability exists in multiple WSO2 products due to a flaw in the SOAP admin service, which allows user account creation regardless of the self-registration configuration settings. This vulnerability enables malicious actors to create new user accounts without proper authorization. Exploitation of this flaw could allow an attacker to create multiple low-privileged user accounts, gaining unauthorized access to the system. Additionally, continuous exploitation could lead to system resource exhaustion through mass user creation.
CVSS breakdown
CVSS 3.1
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None
Affected products
- WSO2 / WSO2 API Manager2.0.0 β 2.0.0.29
- WSO2 / WSO2 API Manager0 β 2.0.0
- WSO2 / WSO2 API Manager4.3.0 β 4.3.0.16
- WSO2 / WSO2 API Manager4.2.0 β 4.2.0.101
- WSO2 / WSO2 API Manager4.1.0 β 4.1.0.166
- WSO2 / WSO2 API Manager4.0.0 β 4.0.0.305
- WSO2 / WSO2 API Manager3.2.1 β 3.2.1.16
- WSO2 / WSO2 API Manager3.2.0 β 3.2.0.384
- WSO2 / WSO2 API Manager3.1.0 β 3.1.0.294
- WSO2 / WSO2 API Manager3.0.0 β 3.0.0.162
- WSO2 / WSO2 API Manager2.6.0 β 2.6.0.142
- WSO2 / WSO2 API Manager2.5.0 β 2.5.0.83
- WSO2 / WSO2 API Manager2.2.0 β 2.2.0.56
- WSO2 / WSO2 API Manager2.1.0 β 2.1.0.39
- WSO2 / WSO2 Enterprise Mobility Manager2.2.0 β 2.2.0.26
- WSO2 / WSO2 Identity Server5.11.0 β 5.11.0.365
- WSO2 / WSO2 Identity Server0 β 5.2.0
- WSO2 / WSO2 Identity Server5.2.0 β 5.2.0.32
- WSO2 / WSO2 Identity Server5.3.0 β 5.3.0.33
- WSO2 / WSO2 Identity Server5.4.0 β 5.4.0.32
- WSO2 / WSO2 Identity Server5.4.1 β 5.4.1.36
- WSO2 / WSO2 Identity Server5.5.0 β 5.5.0.50
- WSO2 / WSO2 Identity Server5.6.0 β 5.6.0.58
- WSO2 / WSO2 Identity Server5.7.0 β 5.7.0.123
- WSO2 / WSO2 Identity Server5.8.0 β 5.8.0.106
- WSO2 / WSO2 Identity Server5.9.0 β 5.9.0.157
- WSO2 / WSO2 Identity Server5.10.0 β 5.10.0.318
- WSO2 / WSO2 Identity Server6.0.0 β 6.0.0.209
- WSO2 / WSO2 Identity Server6.1.0 β 6.1.0.188
- WSO2 / WSO2 Identity Server7.0.0 β 7.0.0.60
- WSO2 / WSO2 Identity Server as Key Manager5.6.0 β 5.6.0.72
- WSO2 / WSO2 Identity Server as Key Manager5.5.0 β 5.5.0.51
- WSO2 / WSO2 Identity Server as Key Manager5.3.0 β 5.3.0.38
- WSO2 / WSO2 Identity Server as Key Manager0 β 5.3.0
- WSO2 / WSO2 Identity Server as Key Manager5.10.0 β 5.10.0.312
- WSO2 / WSO2 Identity Server as Key Manager5.9.0 β 5.9.0.165
- WSO2 / WSO2 Identity Server as Key Manager5.7.0 β 5.7.0.122
- WSO2 / WSO2 Open Banking AM1.4.0 β 1.4.0.134
- WSO2 / WSO2 Open Banking AM1.3.0 β 1.3.0.131
- WSO2 / WSO2 Open Banking AM0 β 1.3.0
- WSO2 / WSO2 Open Banking AM2.0.0 β 2.0.0.343
- WSO2 / WSO2 Open Banking AM1.5.0 β 1.5.0.136
- WSO2 / WSO2 Open Banking IAM0 β 2.0.0
- WSO2 / WSO2 Open Banking IAM2.0.0 β 2.0.0.364
- WSO2 / WSO2 Open Banking KM1.4.0 β 1.4.0.130
- WSO2 / WSO2 Open Banking KM1.3.0 β 1.3.0.114
- WSO2 / WSO2 Open Banking KM0 β 1.3.0
- WSO2 / WSO2 Open Banking KM1.5.0 β 1.5.0.120
Exploits & PoCs
- nucleiWSO2 User Registration - Arbitrary Account Creationby iamnoooob,rootxharsh,pdresearch