Back to overview

CVE-2024-1248

MEDIUM
4.8
CVSS 3.1
Description
The silent Just-In-Time (JIT) provisioning feature in federated authentication implementations fails to properly segregate user roles during account creation when a federated user shares a username with a local user. This allows the provisioning process to overwrite existing roles of local users with roles assigned to the federated user. Exploitation requires a federated identity provider (IDP) with silent JIT provisioning enabled and an attacker's knowledge of a local user's username. When these conditions are met, a malicious individual can leverage the JIT provisioning process to modify the roles of local users. The overwritten roles are limited to those defined within the federated IDP, typically granting minimal access rights unless explicitly configured otherwise by the federated IDP administrator.

Metadata

CVE ID
CVE-2024-1248
State
PUBLISHED
Assigner
WSO2
Reserved
2024-02-06 04:46 UTC
Published
2026-07-04 20:38 UTC
Last updated
2026-07-04 20:38 UTC
Primary CWE
CWE-298
CWE-298: Improper Handling of Identity During Provisioning
Vendor / Product
WSO2 / WSO2 API Manager
Sources
cve.org  ·  NVD

Severity & Metrics

4.8 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
Affected products (5)
VendorProductPlatformVersions
WSO2 WSO2 API Manager 0 < 3.0.0, 3.0.0 < 3.0.0.153, 3.1.0 < 3.1.0.267, 3.2.0 < 3.2.0.351 …
WSO2 WSO2 Identity Server 0 < 5.8.0, 5.8.0 < 5.8.0.101, 5.9.0 < 5.9.0.138, 5.10.0 < 5.10.0.284 …
WSO2 WSO2 Identity Server as Key Manager 0 < 5.9.0, 5.9.0 < 5.9.0.148, 5.10.0 < 5.10.0.280
WSO2 WSO2 Open Banking AM 0 < 2.0.0, 2.0.0 < 2.0.0.313
WSO2 WSO2 Open Banking IAM 0 < 2.0.0, 2.0.0 < 2.0.0.333
Weakness (CWE)
CWESourceDescription
CWE-298 cna CWE-298: Improper Handling of Identity During Provisioning
CVSS scores (1)
ScoreSeverityVersionSourceVector
4.8 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
Back to overview