WSO2 Username Enumeration Vulnerability in Multi-Attribute Login

A username enumeration vulnerability has been identified in multiple WSO2 products, including WSO2 Identity Server versions 5.10.0, 5.11.0, 6.0.0, 6.1.0, WSO2 Open Banking IAM 2.0.0, and WSO2 Identity Server as Key Manager 5.10.0. This vulnerability arises when Multi-Attribute Login is enabled, as the system consistently delivers a 'User does not exist' error message to the login form, regardless of the validate_username setting. This response allows malicious actors to infer which usernames are valid in the system, potentially facilitating brute-force attacks, targeted phishing campaigns, or other social engineering tactics by confirming the existence of user identifiers.

Impact

Exploitation of this vulnerability could lead to the enumeration of valid usernames, increasing the risk of subsequent brute-force attacks or social engineering efforts, such as phishing campaigns, aimed at those users.

Remediation

Users are advised to update to the latest version of the affected WSO2 products. WSO2 Support Subscription Holders can use WSO2 Updates to apply the fix.