CVE-2023-6837

Name of the Vulnerable Software and Affected Versions WSO2 products (affected versions not specified)

Description The issue allows a malicious actor to perform user impersonation using JIT provisioning under specific conditions. These conditions include an IDP configured for federated authentication with JIT provisioning enabled and the "Prompt for username, password and consent" option, as well as a service provider using the IDP for federated authentication with the "Assert identity using mapped local subject identifier" flag enabled. The attacker must have a fresh valid user account in the federated IDP and knowledge of the username of a valid user in the local IDP.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.