CVE-2024-6914

EUVD-2024-54595

22.05.2025, 19:15

An incorrect authorization vulnerability exists in multiple WSO2 products due to a business logic flaw in the account recovery-related SOAP admin service. A malicious actor can exploit this vulnerability to reset the password of any user account, leading to a complete account takeover, including accounts with elevated privileges.

This vulnerability is exploitable only through the account recovery SOAP admin services exposed via the "/services" context path in affected products. The impact may be reduced if access to these endpoints has been restricted based on the "Security Guidelines for Production Deployment" by disabling exposure to untrusted networks.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9.8 CRITICAL	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
WSO2	CNA	8.8 HIGH	ADJACENT_NETWORK	LOW	NONE	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 38%

Affected Products (NVD)

Vendor	Product	Version
wso2	api_manager	2.2.0
wso2	api_manager	2.5.0
wso2	api_manager	2.6.0
wso2	api_manager	3.0.0
wso2	api_manager	3.1.0
wso2	api_manager	3.2.0
wso2	api_manager	3.2.1
wso2	api_manager	4.0.0
wso2	api_manager	4.1.0
wso2	api_manager	4.2.0
wso2	api_manager	4.3.0
wso2	identity_server	5.3.0
wso2	identity_server	5.4.0
wso2	identity_server	5.4.1
wso2	identity_server	5.5.0
wso2	identity_server	5.6.0
wso2	identity_server	5.7.0
wso2	identity_server	5.8.0
wso2	identity_server	5.9.0
wso2	identity_server	5.10.0
wso2	identity_server	5.11.0
wso2	identity_server	6.0.0
wso2	identity_server	6.1.0
wso2	identity_server	7.0.0
wso2	identity_server_as_key_manager	5.3.0
wso2	identity_server_as_key_manager	5.5.0
wso2	identity_server_as_key_manager	5.6.0
wso2	identity_server_as_key_manager	5.7.0
wso2	identity_server_as_key_manager	5.9.0
wso2	identity_server_as_key_manager	5.10.0
wso2	open_banking_am	1.3.0
wso2	open_banking_am	1.4.0
wso2	open_banking_am	1.5.0
wso2	open_banking_am	2.0.0
wso2	open_banking_iam	2.0.0
wso2	open_banking_km	1.3.0
wso2	open_banking_km	1.4.0
wso2	open_banking_km	1.5.0

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-863 - Incorrect Authorization
The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3561/

https://security.docs.wso2.com/en/latest/security-guidelines/security-guidelines-for-production-deployment/