WSO2 Products Incorrect Authorization Vulnerability Allowing API Access via Refresh Token

A vulnerability allowing incorrect authorization has been identified in multiple WSO2 products. This issue enables protected APIs to be accessed directly with a refresh token, rather than the required access token. The vulnerability arises from inadequate authorization checks and improper token mapping, which eliminate the need for session cookies when accessing APIs. To exploit this vulnerability, an attacker must obtain a valid refresh token from an admin user. Given that refresh tokens typically have a longer expiration period, this could result in extended unauthorized access to API resources, thereby compromising data confidentiality and integrity.

Impact

Exploitation of this vulnerability could lead to unauthorized access to protected APIs, allowing for unauthorized operations to be performed. This could result in prolonged unauthorized access to API resources, with potential implications for data confidentiality and integrity.