PT-2026-55730 · Wso2 · Wso2 Api Manager+3

Published

2026-07-04

·

Updated

2026-07-04

·

CVE-2024-1248

CVSS v3.1

4.8

Medium

VectorAV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
Name of the Vulnerable Software and Affected Versions The product name cannot be determined (affected versions not specified)
Description The silent Just-In-Time (JIT) provisioning feature in federated authentication implementations fails to properly segregate user roles during account creation. When a federated user shares a username with a local user, the provisioning process can overwrite the existing roles of the local user with roles assigned to the federated user. This occurs when a federated identity provider (IDP) has silent JIT provisioning enabled and the attacker knows the username of a local user. The resulting overwritten roles are limited to those defined within the federated IDP, which typically grant minimal access rights unless configured otherwise by the IDP administrator.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2024-1248

Affected Products

Wso2 Api Manager
Wso2 Identity Server
Wso2 Identity Server As Key Manager
Wso2 Open Banking Am