Vulnerability Database

308,379

Total vulnerabilities in the database

CVE-2024-7096

A privilege escalation vulnerability exists in multiple [Vendor Name] products due to a business logic flaw in SOAP admin services. A malicious actor can create a new user with elevated permissions only when all of the following conditions are met:

  • SOAP admin services are accessible to the attacker.
  • The deployment includes an internally used attribute that is not part of the default WSO2 product configuration.
  • At least one custom role exists with non-default permissions.
  • The attacker has knowledge of the custom role and the internal attribute used in the deployment.

Exploiting this vulnerability allows malicious actors to assign higher privileges to self-registered users, bypassing intended access control mechanisms.

CVSS v3:

  • Severity: Unknown
  • Score:
  • AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CWEs:

Software From Fixed in
Maven icon org.wso2.am / am-parent 2.0.0 4.4.0
Maven icon org.wso2.is / identity-server-parent 5.2.0 7.1.0
wso2 / api_manager 2.0.0 2.0.0.x
wso2 / api_manager 2.1.0 2.1.0.x
wso2 / api_manager 2.2.0 2.2.0.x
wso2 / api_manager 2.5.0 2.5.0.x
wso2 / api_manager 2.6.0 2.6.0.x
wso2 / api_manager 3.0.0 3.0.0.x
wso2 / api_manager 3.1.0 3.1.0.x
wso2 / api_manager 3.2.0 3.2.0.x
wso2 / api_manager 3.2.1 3.2.1.x
wso2 / api_manager 4.0.0 4.0.0.x
wso2 / api_manager 4.1.0 4.1.0.x
wso2 / api_manager 4.2.0 4.2.0.x
wso2 / api_manager 4.3.0 4.3.0.x
wso2 / identity_server 5.2.0 5.2.0.x
wso2 / identity_server 5.3.0 5.3.0.x
wso2 / identity_server 5.4.0 5.4.0.x
wso2 / identity_server 5.4.1 5.4.1.x
wso2 / identity_server 5.5.0 5.5.0.x
wso2 / identity_server 5.6.0 5.6.0.x
wso2 / identity_server 5.7.0 5.7.0.x
wso2 / identity_server 5.8.0 5.8.0.x
wso2 / identity_server 5.9.0 5.9.0.x
wso2 / identity_server 5.10.0 5.10.0.x
wso2 / identity_server 5.11.0 5.11.0.x
wso2 / identity_server 6.0.0 6.0.0.x
wso2 / identity_server 6.1.0 6.1.0.x
wso2 / identity_server 7.0.0 7.0.0.x
wso2 / identity_server_as_key_manager 5.3.0 5.3.0.x
wso2 / identity_server_as_key_manager 5.5.0 5.5.0.x
wso2 / identity_server_as_key_manager 5.6.0 5.6.0.x
wso2 / identity_server_as_key_manager 5.7.0 5.7.0.x
wso2 / identity_server_as_key_manager 5.9.0 5.9.0.x
wso2 / identity_server_as_key_manager 5.10.0 5.10.0.x
wso2 / open_banking_am 1.3.0 1.3.0.x
wso2 / open_banking_am 1.4.0 1.4.0.x
wso2 / open_banking_am 1.5.0 1.5.0.x
wso2 / open_banking_am 2.0.0 2.0.0.x
wso2 / open_banking_iam 2.0.0 2.0.0.x
wso2 / open_banking_km 1.3.0 1.3.0.x
wso2 / open_banking_km 1.4.0 1.4.0.x
wso2 / open_banking_km 1.5.0 1.5.0.x