Description
An authentication bypass vulnerability exists in multiple WSO2 products when FIDO authentication is enabled. When a user account is deleted, the system does not automatically remove associated FIDO registration data. If a new user account is later created using the same username, the system may associate the new account with the previously registered FIDO device. This flaw may allow a previously deleted user to authenticate using their FIDO credentials and impersonate the newly created user, resulting in unauthorized access. The vulnerability applies only to deployments that utilize FIDO-based authentication.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
Affected products
- WSO2 / WSO2 Identity Server0 – 5.10.0
- WSO2 / WSO2 Identity Server5.10.0 – 5.10.0.345
- WSO2 / WSO2 Identity Server5.11.0 – 5.11.0.394
- WSO2 / WSO2 Identity Server as Key Manager0 – 5.10.0
- WSO2 / WSO2 Identity Server as Key Manager5.10.0 – 5.10.0.338
- WSO2 / WSO2 Open Banking IAM2.0.0 – 2.0.0.389