Security Advisory WSO2-2021-1526
- Former user (Deleted)
Published: 14th November 2022
Version: 1.0.0
Severity: Medium
CVSS Score: 4.4 (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N)
AFFECTED PRODUCTS
WSO2 API Manager : 2.6.0 , 3.0.0 , 3.1.0 , 3.2.0 , 4.0.0 , 4.1.0
WSO2 IS as Key Manager : 5.7.0 , 5.9.0 , 5.10.0
WSO2 Identity Server : 5.7.0 , 5.8.0 , 5.9.0 , 5.10.0 , 5.11.0
OVERVIEW
Introspection of tokens is allowed from any tenant.
DESCRIPTION
In a multi-tenanted environment, details of access tokens can be obtained from the introspection endpoint by any user of any tenant who has the required privilege.
IMPACT
This issue is only applicable when a multi-tenancy feature is used. In order to leverage this vulnerability, a malicious actor should have a valid access token or required privilege to generate an access token of any tenant. If such information is obtained, a malicious actor can access the other tenant resources.
SOLUTION
If the latest version of the affected WSO2 product is not mentioned under the affected product list, you may migrate to the latest version to receive security fixes. Otherwise you may apply the relevant fixes to the product based on the public fix:
- https://github.com/wso2-extensions/identity-inbound-auth-oauth/pull/1919
- https://github.com/wso2/carbon-identity-framework/pull/4043
Along with the patch, there will be a new feature introduced to disable the cross introspection when a multi-tenancy feature is used. To disable it, the following configuration to be added in the identity.xml (/repository/conf/identity /identity.xml)
<AllowCrossTenantTokenIntrospection>false</AllowCrossTenantTokenIntrospection>
Note: If you are a WSO2 customer with Support Subscription, please use WSO2 Updates in order to apply the fix.