WSO2 Identity Server Unauthenticated SSRF Vulnerability (CVE-2024-7073) Advisory

Key Information Vulnerability Overview Vulnerability ID: WSO2-2024-3562/CVE-2024-7073 Release Date: November 10, 2024 Version: 1.0.0 Severity: Medium CVSS Score: 6.5 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) Affected Products WSO2 Identity Server: 7.0.0, 6.1.0, 6.0.0, 5.11.0, 5.10.0, 5.9.0, 5.8.0, 5.7.0, 5.6.0, 5.5.0, 5.4.1, 5.4.0, 5.3.0, 5.2.0 WSO2 Identity Server as Key Manager: 5.10.0, 5.9.0, 5.7.0, 5.6.0, 5.5.0, 5.3.0 WSO2 Open Banking IAM: 2.0.0 WSO2 Open Banking KM: 1.5.0, 1.4.0, 1.3.0 Vulnerability Description Summary: Unauthenticated Server-Side Request Forgery (SSRF) in SOAP Management Services. Detailed Description: Due to lack of input validation, malicious actors can perform Server-Side Request Forgery (SSRF) attacks via the SOAP management service. Impact Impact: This vulnerability allows malicious actors to access internal and external resources available over the network or file system. This could lead to unauthorized access to sensitive data and systems, regardless of whether these resources are located within a private network, as long as they are accessible by WSO2 products. Remediation Community Users (Open Source): Update the product using the provided public fix. - GitHub Link Commercial Users: Upgrade the product to the specified update level or higher to apply the fix. All Users: If unable to apply the fix or upgrade, migrate to the latest unaffected version of the WSO2 product.

Goal Reached Thanks to every supporter — we hit 100%!

WSO2 Identity Server Unauthenticated SSRF Vulnerability (CVE-2024-7073) Advisory