CVE-2024-2321
published 2025-02-27CVE-2024-2321: An incorrect authorization vulnerability exists in multiple WSO2 products, allowing protected APIs to be accessed directly using a refresh token instead of the…
PriorityP432medium5.6CVSS 3.1
AVNACHPRNUINSUCLILAL
EPSS
0.22%
12.7th percentile
An incorrect authorization vulnerability exists in multiple WSO2 products, allowing protected APIs to be accessed directly using a refresh token instead of the expected access token. Due to improper authorization checks and token mapping, session cookies are not required for API access, potentially enabling unauthorized operations.
Exploitation requires an attacker to obtain a valid refresh token of an admin user. Since refresh tokens generally have a longer expiration time, this could lead to prolonged unauthorized access to API resources, impacting data confidentiality and integrity.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | wso2_api_manager | >= 4.0.0 < 4.0.0.275 | 4.0.0.275 |
| wso2 | wso2_api_manager | >= 4.1.0 < 4.1.0.153 | 4.1.0.153 |
| wso2 | wso2_api_manager | >= 4.2.0 < 4.2.0.83 | 4.2.0.83 |
| wso2 | wso2_identity_server | >= 5.11.0 < 5.11.0.326 | 5.11.0.326 |
| wso2 | wso2_identity_server | >= 6.0.0 < 6.0.0.172 | 6.0.0.172 |
| wso2 | wso2_identity_server | >= 6.1.0 < 6.1.0.130 | 6.1.0.130 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
WSO2 incorrect authorization vulnerability
ghsa·2025-02-27
CVE-2024-2321 [MEDIUM] CWE-863 WSO2 incorrect authorization vulnerability
WSO2 incorrect authorization vulnerability
An incorrect authorization vulnerability exists in multiple WSO2 products, allowing protected APIs to be accessed directly using a refresh token instead of the expected access token. Due to improper authorization checks and token mapping, session cookies are not required for API access, potentially enabling unauthorized operations.
Exploitation requires an attacker to obtain a valid refresh token of an admin user. Since refresh tokens generally have a longer expiration time, this could lead to prolonged unauthorized access to API resources, impacting data confidentiality and integrity.
OSV
WSO2 incorrect authorization vulnerability
osv·2025-02-27
CVE-2024-2321 [MEDIUM] WSO2 incorrect authorization vulnerability
WSO2 incorrect authorization vulnerability
An incorrect authorization vulnerability exists in multiple WSO2 products, allowing protected APIs to be accessed directly using a refresh token instead of the expected access token. Due to improper authorization checks and token mapping, session cookies are not required for API access, potentially enabling unauthorized operations.
Exploitation requires an attacker to obtain a valid refresh token of an admin user. Since refresh tokens generally have a longer expiration time, this could lead to prolonged unauthorized access to API resources, impacting data confidentiality and integrity.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-02-27
Published