PT-2026-55730 · Wso2 · Wso2 Api Manager+3
Published
2026-07-04
·
Updated
2026-07-04
·
CVE-2024-1248
CVSS v3.1
4.8
Medium
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
The product name cannot be determined (affected versions not specified)
Description
The silent Just-In-Time (JIT) provisioning feature in federated authentication implementations fails to properly segregate user roles during account creation. When a federated user shares a username with a local user, the provisioning process can overwrite the existing roles of the local user with roles assigned to the federated user. This occurs when a federated identity provider (IDP) has silent JIT provisioning enabled and the attacker knows the username of a local user. The resulting overwritten roles are limited to those defined within the federated IDP, which typically grant minimal access rights unless configured otherwise by the IDP administrator.
Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wso2 Api Manager
Wso2 Identity Server
Wso2 Identity Server As Key Manager
Wso2 Open Banking Am