Description
An incorrect authorization vulnerability exists in multiple WSO2 products due to a business logic flaw in the account recovery-related SOAP admin service. A malicious actor can exploit this vulnerability to reset the password of any user account, leading to a complete account takeover, including accounts with elevated privileges. This vulnerability is exploitable only through the account recovery SOAP admin services exposed via the "/services" context path in affected products. The impact may be reduced if access to these endpoints has been restricted based on the "Security Guidelines for Production Deployment" by disabling exposure to untrusted networks.
Reserved 2024-07-19 | Published 2025-05-22 | Updated 2025-05-22 | Assigner
WSO2CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
When "Security Guidelines for Production Deployment" are not followed and "/services" context is public exposed (Worst Case)
HIGH: 8.8CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
When "Security Guidelines for Production Deployment" are followed and "/services" context is only accessible by trusted networks
Problem types
CWE-863 Incorrect Authorization
Product status
Default status
unaffected
Any version before 2.2.0
unknown
2.2.0 before 2.2.0.55
affected
2.5.0 before 2.5.0.82
affected
2.6.0 before 2.6.0.141
affected
3.0.0 before 3.0.0.161
affected
3.1.0 before 3.1.0.292
affected
3.2.0 before 3.2.0.382
affected
3.2.1 before 3.2.1.14
affected
4.0.0 before 4.0.0.304
affected
4.1.0 before 4.1.0.164
affected
4.2.0 before 4.2.0.99
affected
4.3.0 before 4.3.0.15
affected
Default status
unknown
5.4.0 before 5.4.0.14
affected
Default status
unaffected
Any version before 5.3.0
unknown
5.3.0 before 5.3.0.31
affected
5.4.0 before 5.4.0.30
affected
5.4.1 before 5.4.1.35
affected
5.5.0 before 5.5.0.48
affected
5.6.0 before 5.6.0.56
affected
5.7.0 before 5.7.0.122
affected
5.8.0 before 5.8.0.104
affected
5.9.0 before 5.9.0.155
affected
5.10.0 before 5.10.0.317
affected
5.11.0 before 5.11.0.363
affected
6.0.0 before 6.0.0.207
affected
6.1.0 before 6.1.0.184
affected
7.0.0 before 7.0.0.56
affected
Default status
unaffected
Any version before 5.3.0
unknown
5.3.0 before 5.3.0.36
affected
5.5.0 before 5.5.0.49
affected
5.6.0 before 5.6.0.70
affected
5.7.0 before 5.7.0.121
affected
5.9.0 before 5.9.0.162
affected
5.10.0 before 5.10.0.311
affected
Default status
unknown
3.3.0 before 3.3.0.59
affected
3.3.1 before 3.3.1.61
affected
Default status
unaffected
Any version before 1.3.0
unknown
1.3.0 before 1.3.0.130
affected
1.4.0 before 1.4.0.133
affected
1.5.0 before 1.5.0.135
affected
2.0.0 before 2.0.0.341
affected
Default status
unaffected
Any version before 1.3.0
unknown
1.3.0 before 1.3.0.113
affected
1.4.0 before 1.4.0.129
affected
1.5.0 before 1.5.0.119
affected
Default status
unaffected
2.0.0 before 2.0.0.362
affected
Default status
unknown
5.7.5 before 5.7.5.9
affected
5.10.86 before 5.10.86.4
affected
5.10.112 before 5.10.112.14
affected
5.11.148 before 5.11.148.13
affected
5.11.256 before 5.11.256.15
affected
5.12.153 before 5.12.153.58
affected
5.12.387 before 5.12.387.41
affected
5.14.97 before 5.14.97.75
affected
5.17.5 before 5.17.5.282
affected
5.17.118 before 5.17.118.4
affected
5.18.187 before 5.18.187.265
affected
5.18.248 before 5.18.248.14
affected
5.23.8 before 5.23.8.184
affected
5.24.8 before 5.24.8.6
affected
5.25.92 before 5.25.92.92
affected
5.25.705 before 5.25.705.6
affected
7.0.78 before 7.0.78.32
affected
7.3.44
unaffected
Credits
Anonymous working with Trend Micro Zero Day Initiative reporter
References
security.docs.wso2.com/...ty-advisories/2024/WSO2-2024-3561/ vendor-advisory
security.docs.wso2.com/...delines-for-production-deployment/ related
cve.org (CVE-2024-6914)
nvd.nist.gov (CVE-2024-6914)
Download JSON
