/
Security Advisory WSO2-2021-1482
com.atlassian.confluence.content.render.xhtml.migration.exceptions.UnknownMacroMigrationException: The macro 'next_previous_links' is unknown.

Security Advisory WSO2-2021-1482

Owned by Former user (Deleted)
Last updated: Feb 15, 2022

Published: 14th February 2022

Version: 1.0.0

Severity: High

CVSS Score:  7.7 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:L)


AFFECTED PRODUCTS

WSO2 API Manager : 2.2.0 , 2.5.0 , 2.6.0 , 3.0.0 , 3.2.0 , 4.0.0
WSO2 API Microgateway : 2.2.0
WSO2 IS as Key Manager : 5.5.0 , 5.6.0 , 5.7.0 , 5.9.0 , 5.10.0
WSO2 IoT Server : 3.3.1


OVERVIEW

Potential user impersonation when using JWT bearer grant type with identity federation.


DESCRIPTION

When JWT bearer grant type is used with identity federation, a malicious actor may use or create an account in the federated IDP with the same username as a targeted local user in order to impersonate the local user and gain privileges the local user has.


IMPACT

To leverage this vulnerability, the malicious actor must have a user account in the configured federated IDP with the same username as the targeted local user. If such access is obtained, the malicious actor could generate x-jwt-assertion with the details of the targeted local user. This may result in user impersonation, if backend services rely on details provided in the x-jwt-assertion for authentication or authorization.


SOLUTION

If the latest version of the affected WSO2 product is not mentioned under the affected product list, you may migrate to the latest version to receive security fixes. Otherwise you may apply the relevant fixes to the product based on the public fix: https://github.com/wso2/carbon-apimgt/pull/10836


please make sure those are followed properly. There may be some requirements to pass the federated user claims to the backend in production. Therefore, after adding the fix, the existing behavior will be executed to avoid the break in current use cases. If your deployment does not have such a requirement please follow the below given instructions.

For 3.0 and upper versions, add the following configurations into the "<APIM_HOME>repository/conf/deployment.toml" file to enable the fix.

deployment.toml
[apim.jwt]
binding_federated_user_claims=false


For 2.x versions, please add the following configurations in the <JWTConfiguration> section on "<APIM_HOME>repository/conf/api-manager.xml" file to enable the fix.

api-manager.xml
<EnableBindingFederatedUserClaims>false</EnableBindingFederatedUserClaims>


Note: If you are a WSO2 customer with Support Subscription, please use WSO2 Updates in order to apply the fix.


CREDITS

WSO2 thanks, Bruno Monteiro for responsibly reporting the identified issue and working with us as we addressed it.

Related content

com.atlassian.confluence.content.render.xhtml.migration.exceptions.UnknownMacroMigrationException: The macro 'next_previous_links2' is unknown.