CVE-2024-1248 PUBLISHED

Role Overwriting via Silent JIT Provisioning in Multiple WSO2 Products Enables Privilege Escalation

Assigner: WSO2
Reserved: 06.02.2024 Published: 04.07.2026 Updated: 04.07.2026

The silent Just-In-Time (JIT) provisioning feature in federated authentication implementations fails to properly segregate user roles during account creation when a federated user shares a username with a local user. This allows the provisioning process to overwrite existing roles of local users with roles assigned to the federated user.

Exploitation requires a federated identity provider (IDP) with silent JIT provisioning enabled and an attacker's knowledge of a local user's username. When these conditions are met, a malicious individual can leverage the JIT provisioning process to modify the roles of local users. The overwritten roles are limited to those defined within the federated IDP, typically granting minimal access rights unless explicitly configured otherwise by the federated IDP administrator.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
CVSS Score: 4.8

Product Status

Vendor WSO2
Product WSO2 API Manager
Versions Default: unaffected
  • unknown from 0 to 3.0.0 (excl.)
  • affected from 3.0.0 to 3.0.0.153 (excl.)
  • affected from 3.1.0 to 3.1.0.267 (excl.)
  • affected from 3.2.0 to 3.2.0.351 (excl.)
  • affected from 4.0.0 to 4.0.0.269 (excl.)
  • affected from 4.1.0 to 4.1.0.169 (excl.)
Vendor WSO2
Product WSO2 Identity Server
Versions Default: unaffected
  • unknown from 0 to 5.8.0 (excl.)
  • affected from 5.8.0 to 5.8.0.101 (excl.)
  • affected from 5.9.0 to 5.9.0.138 (excl.)
  • affected from 5.10.0 to 5.10.0.284 (excl.)
  • affected from 5.11.0 to 5.11.0.321 (excl.)
Vendor WSO2
Product WSO2 Identity Server as Key Manager
Versions Default: unaffected
  • unknown from 0 to 5.9.0 (excl.)
  • affected from 5.9.0 to 5.9.0.148 (excl.)
  • affected from 5.10.0 to 5.10.0.280 (excl.)
Vendor WSO2
Product WSO2 Open Banking AM
Versions Default: unaffected
  • unknown from 0 to 2.0.0 (excl.)
  • affected from 2.0.0 to 2.0.0.313 (excl.)
Vendor WSO2
Product WSO2 Open Banking IAM
Versions Default: unaffected
  • unknown from 0 to 2.0.0 (excl.)
  • affected from 2.0.0 to 2.0.0.333 (excl.)

Solutions

Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3179/#solution

References

Problem Types

  • CWE-298: Improper Handling of Identity During Provisioning CWE

Impacts

  • CAPEC-26 CAPEC-26: Privilege Escalation