CVE-2024-7096
published 2025-05-30CVE-2024-7096: A privilege escalation vulnerability exists in multiple WSO2 products due to a business logic flaw in SOAP admin services. A malicious actor can create a new…
PriorityP428medium5.4CVSS 3.1
AVAACLPRNUINSUCLILAN
EPSS
0.59%
43.9th percentile
A privilege escalation vulnerability exists in multiple WSO2 products due to a business logic flaw in SOAP admin services. A malicious actor can create a new user with elevated permissions only when all of the following conditions are met: * SOAP admin services are accessible to the attacker. * The deployment includes an internally used attribute that is not part of the default WSO2 product configuration. * At least one custom role exists with non-default permissions. * The attacker has knowledge of the custom role and the internal attribute used in the deployment. Exploiting this vulnerability allows malicious actors to assign higher privileges to self-registered users, bypassing intended access control mechanisms.
Affected
82 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
osv3.7LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
WSO2 products vulnerable to privilege escalation due to business logic flaw in SOAP admin services
osv·2025-05-30
CVE-2024-7096 [MEDIUM] WSO2 products vulnerable to privilege escalation due to business logic flaw in SOAP admin services
WSO2 products vulnerable to privilege escalation due to business logic flaw in SOAP admin services
A privilege escalation vulnerability exists in multiple WSO2 products due to a business logic flaw in SOAP admin services. A malicious actor can create a new user with elevated permissions only when all of the following conditions are met:
* SOAP admin services are accessible to the attacker.
* The deployment includes an internally used attribute that is not part of the default WSO2 product configuration.
* At least one custom role exists with non-default permissions.
* The attacker has knowledge of the custom role and the internal attribute used in the deployment.
Exploiting this vulnerability allows malicious actors to assign higher privileges to self-registered users, bypassing intended
GHSA
WSO2 products vulnerable to privilege escalation due to business logic flaw in SOAP admin services
ghsa·2025-05-30
CVE-2024-7096 [MEDIUM] CWE-863 WSO2 products vulnerable to privilege escalation due to business logic flaw in SOAP admin services
WSO2 products vulnerable to privilege escalation due to business logic flaw in SOAP admin services
A privilege escalation vulnerability exists in multiple WSO2 products due to a business logic flaw in SOAP admin services. A malicious actor can create a new user with elevated permissions only when all of the following conditions are met:
* SOAP admin services are accessible to the attacker.
* The deployment includes an internally used attribute that is not part of the default WSO2 product configuration.
* At least one custom role exists with non-default permissions.
* The attacker has knowledge of the custom role and the internal attribute used in the deployment.
Exploiting this vulnerability allows malicious actors to assign higher privileges to self-registered users, bypassing intended
OSV
openjdk-8 regressions
osv·2025-02-05·CVSS 3.7
CVE-2024-21208 openjdk-8 regressions
openjdk-8 regressions
USN-7096-1 fixed vulnerabilities in OpenJDK 8. The update introduced
several minor regressions. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Andy Boothe discovered that the Networking component of OpenJDK 8 did not
properly handle access under certain circumstances. An unauthenticated
attacker could possibly use this issue to cause a denial of service.
(CVE-2024-21208)
It was discovered that the Hotspot component of OpenJDK 8 did not properly
handle vectorization under certain circumstances. An unauthenticated
attacker could possibly use this issue to access unauthorized resources
and expose sensitive information. (CVE-2024-21210, CVE-2024-21235)
It was discovered that the Serialization component of OpenJDK 8 did
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-05-30
Published