Search

Find a vulnerability

Search criteria

    2 vulnerabilities found for WSO2 Carbon Identity Client Attestation Met Data Mgt BE by WSO2

    CVE-2024-7487 (GCVE-0-2024-7487)

    Vulnerability from nvd – Published: 2025-05-22 19:03 – Updated: 2025-05-22 19:23
    VLAI
    Title
    Improper Authentication in WSO2 Identity Server 7.0.0 Allows Bypass of App-Native Authentication
    Summary
    An improper authentication vulnerability exists in WSO2 Identity Server 7.0.0 due to an implementation flaw that allows app-native authentication to be bypassed when an invalid object is passed. Exploitation of this vulnerability could enable malicious actors to circumvent the client verification mechanism, compromising the integrity of the authentication process.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    References
    Impacted products
    Vendor Product Version
    WSO2 WSO2 Identity Server Affected: 7.0.0 , < 7.0.0.65 (custom)
    Create a notification for this product.
    WSO2 Client Attestation Filter Affected: 7.0.26 , < 7.0.26.24 (custom)
    Unaffected: 7.0.51 , ≤ * (custom)
    Create a notification for this product.
    WSO2 WSO2 Carbon Identity Client Attestation Met Data Mgt BE Affected: 7.0.78 , < 7.0.78.44 (custom)
    Unaffected: 7.1.30 , ≤ * (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-7487",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-22T19:23:42.783012Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-22T19:23:58.211Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 Identity Server",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "7.0.0.65",
                  "status": "affected",
                  "version": "7.0.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "packageName": "org.wso2.carbon.identity.inbound.auth.oauth2:org.wso2.carbon.identity.client.attestation.filter",
              "product": "Client Attestation Filter",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "7.0.26.24",
                  "status": "affected",
                  "version": "7.0.26",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "*",
                  "status": "unaffected",
                  "version": "7.0.51",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "packageName": "org.wso2.carbon.identity.framework:org.wso2.carbon.identity.client.attestation.mgt",
              "product": "WSO2 Carbon Identity Client Attestation Met Data Mgt BE",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "7.0.78.44",
                  "status": "affected",
                  "version": "7.0.78",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "*",
                  "status": "unaffected",
                  "version": "7.1.30",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An improper authentication vulnerability exists in WSO2 Identity Server 7.0.0 due to an implementation flaw that allows app-native authentication to be bypassed when an invalid object is passed.\u003cbr\u003e\u003cbr\u003eExploitation of this vulnerability could enable malicious actors to circumvent the client verification mechanism, compromising the integrity of the authentication process.\u003cbr\u003e"
                }
              ],
              "value": "An improper authentication vulnerability exists in WSO2 Identity Server 7.0.0 due to an implementation flaw that allows app-native authentication to be bypassed when an invalid object is passed.\n\nExploitation of this vulnerability could enable malicious actors to circumvent the client verification mechanism, compromising the integrity of the authentication process."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287 Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-22T19:03:13.414Z",
            "orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
            "shortName": "WSO2"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3348/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: transparent;\"\u003eFollow the instructions given on \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3348/#solution\"\u003e\u003cspan style=\"background-color: transparent;\"\u003ehttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3348/#solution\u003c/span\u003e\u003c/a\u003e \u003cbr\u003e"
                }
              ],
              "value": "Follow the instructions given on  https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3348/#solution https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3348/#solution"
            }
          ],
          "source": {
            "advisory": "WSO2-2024-3348",
            "discovery": "INTERNAL"
          },
          "title": "Improper Authentication in WSO2 Identity Server 7.0.0 Allows Bypass of App-Native Authentication",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
        "assignerShortName": "WSO2",
        "cveId": "CVE-2024-7487",
        "datePublished": "2025-05-22T19:03:13.414Z",
        "dateReserved": "2024-08-05T13:04:03.920Z",
        "dateUpdated": "2025-05-22T19:23:58.211Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-7487 (GCVE-0-2024-7487)

    Vulnerability from cvelistv5 – Published: 2025-05-22 19:03 – Updated: 2025-05-22 19:23
    VLAI
    Title
    Improper Authentication in WSO2 Identity Server 7.0.0 Allows Bypass of App-Native Authentication
    Summary
    An improper authentication vulnerability exists in WSO2 Identity Server 7.0.0 due to an implementation flaw that allows app-native authentication to be bypassed when an invalid object is passed. Exploitation of this vulnerability could enable malicious actors to circumvent the client verification mechanism, compromising the integrity of the authentication process.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    References
    Impacted products
    Vendor Product Version
    WSO2 WSO2 Identity Server Affected: 7.0.0 , < 7.0.0.65 (custom)
    Create a notification for this product.
    WSO2 Client Attestation Filter Affected: 7.0.26 , < 7.0.26.24 (custom)
    Unaffected: 7.0.51 , ≤ * (custom)
    Create a notification for this product.
    WSO2 WSO2 Carbon Identity Client Attestation Met Data Mgt BE Affected: 7.0.78 , < 7.0.78.44 (custom)
    Unaffected: 7.1.30 , ≤ * (custom)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-7487",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-22T19:23:42.783012Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-22T19:23:58.211Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "WSO2 Identity Server",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "7.0.0.65",
                  "status": "affected",
                  "version": "7.0.0",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "packageName": "org.wso2.carbon.identity.inbound.auth.oauth2:org.wso2.carbon.identity.client.attestation.filter",
              "product": "Client Attestation Filter",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "7.0.26.24",
                  "status": "affected",
                  "version": "7.0.26",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "*",
                  "status": "unaffected",
                  "version": "7.0.51",
                  "versionType": "custom"
                }
              ]
            },
            {
              "defaultStatus": "unknown",
              "packageName": "org.wso2.carbon.identity.framework:org.wso2.carbon.identity.client.attestation.mgt",
              "product": "WSO2 Carbon Identity Client Attestation Met Data Mgt BE",
              "vendor": "WSO2",
              "versions": [
                {
                  "lessThan": "7.0.78.44",
                  "status": "affected",
                  "version": "7.0.78",
                  "versionType": "custom"
                },
                {
                  "lessThanOrEqual": "*",
                  "status": "unaffected",
                  "version": "7.1.30",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "An improper authentication vulnerability exists in WSO2 Identity Server 7.0.0 due to an implementation flaw that allows app-native authentication to be bypassed when an invalid object is passed.\u003cbr\u003e\u003cbr\u003eExploitation of this vulnerability could enable malicious actors to circumvent the client verification mechanism, compromising the integrity of the authentication process.\u003cbr\u003e"
                }
              ],
              "value": "An improper authentication vulnerability exists in WSO2 Identity Server 7.0.0 due to an implementation flaw that allows app-native authentication to be bypassed when an invalid object is passed.\n\nExploitation of this vulnerability could enable malicious actors to circumvent the client verification mechanism, compromising the integrity of the authentication process."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.8,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "CHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287 Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-22T19:03:13.414Z",
            "orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
            "shortName": "WSO2"
          },
          "references": [
            {
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3348/"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "\u003cspan style=\"background-color: transparent;\"\u003eFollow the instructions given on \u003c/span\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3348/#solution\"\u003e\u003cspan style=\"background-color: transparent;\"\u003ehttps://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3348/#solution\u003c/span\u003e\u003c/a\u003e \u003cbr\u003e"
                }
              ],
              "value": "Follow the instructions given on  https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3348/#solution https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3348/#solution"
            }
          ],
          "source": {
            "advisory": "WSO2-2024-3348",
            "discovery": "INTERNAL"
          },
          "title": "Improper Authentication in WSO2 Identity Server 7.0.0 Allows Bypass of App-Native Authentication",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8",
        "assignerShortName": "WSO2",
        "cveId": "CVE-2024-7487",
        "datePublished": "2025-05-22T19:03:13.414Z",
        "dateReserved": "2024-08-05T13:04:03.920Z",
        "dateUpdated": "2025-05-22T19:23:58.211Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }