WSO2 Identity Server Adaptive Authentication Authorization Bypass Vulnerability in Multi-Organization Deployments

A vulnerability exists in WSO2 Identity Server 7.1.0 that allows for an authorization bypass in multi-organization deployments. This issue arises because the organization context is not properly validated during adaptive authentication flows. As a result, a malicious actor with the ability to configure adaptive authentication in one organization can inadvertently trigger authentication processes in other organizations and sub-organizations. This flaw can lead to unauthorized access to critical operations and user accounts across different organizations, potentially allowing for privilege escalation and account takeover.

Impact

Exploitation of this vulnerability could result in unauthorized access to resources and user accounts in other organizations, bypassing established authorization boundaries. This may lead to privilege escalation and account takeover across organizations.

Remediation

Users of WSO2 Identity Server 7.1.0 should update to the specified update level or to a higher version. Community users can apply the public fix available on the WSO2 GitHub repository. Support subscription holders can use WSO2 Updates to apply the fix.