/
Security Advisory WSO2-2021-1438
com.atlassian.confluence.content.render.xhtml.migration.exceptions.UnknownMacroMigrationException: The macro 'next_previous_links' is unknown.

Security Advisory WSO2-2021-1438

Owned by Former user (Deleted)
Last updated: Apr 12, 2022

Published: 1st April 2022

Version: 1.0.0

Severity: Medium

CVSS Score:  5.4 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N)


AFFECTED PRODUCTS

WSO2 API Manager : 3.1.0 , 3.2.0 , 4.0.0


OVERVIEW

Existing JWT access tokens are not revoked when a new access token is generated.


DESCRIPTION

When a new JWT access token is created for a combination of application, user, and scopes, existing access tokens related to that combination are not revoked and they will be valid until they expire. Due to this behaviour, users will not be able to revoke such already issued access tokens until they expire.


IMPACT

Impact could occur when a user is in need of revoking a compromised JWT access token. Due to the vulnerability, since old JWT tokens are not revoked, the malicious actor may still use such tokens to gain access to resources in the resource server. The Confidentiality and Integrity impact of that vulnerability would vary on the sensitivity of those resources in the resource server. However, since this requires obtaining an active JWT access token, the attack complexity is high.


SOLUTION

If the latest version of the affected WSO2 product is not mentioned under the affected product list, you may migrate to the latest version to receive security fixes. Otherwise you may apply the relevant fixes to the product based on the public fix: https://github.com/wso2-extensions/identity-inbound-auth-oauth/pull/1647

Note: If you are a WSO2 customer with Support Subscription, please use WSO2 Updates in order to apply the fix.

Related content

com.atlassian.confluence.content.render.xhtml.migration.exceptions.UnknownMacroMigrationException: The macro 'next_previous_links2' is unknown.