Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-1524

Summary
Assigner-WSO2
Assigner Org ID-ed10eef1-636d-4fbe-9993-6890dfa878f8
Published At-24 Feb, 2026 | 08:51
Updated At-24 Feb, 2026 | 14:28
Rejected At-
Credits

A local user can be impersonated when using federated authentication with Silent JIT Provisioning.

When the "Silent Just-In-Time Provisioning" feature is enabled for a federated identity provider (IDP) there is a risk that a local user store user's information may be replaced during the account provisioning process in cases where federated users share the same username as local users. There will be no impact on your deployment if any of the preconditions mentioned below are not met. Only when all the preconditions mentioned below are fulfilled could a malicious actor associate a targeted local user account with a federated IDP user account that they control. The Deployment should have: -An IDP configured for federated authentication with Silent JIT provisioning enabled. The malicious actor should have: -A fresh valid user account in the federated IDP that has not been used earlier. -Knowledge of the username of a valid user in the local IDP. -An account at the federated IDP matching the targeted local username.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:WSO2
Assigner Org ID:ed10eef1-636d-4fbe-9993-6890dfa878f8
Published At:24 Feb, 2026 | 08:51
Updated At:24 Feb, 2026 | 14:28
Rejected At:
▼CVE Numbering Authority (CNA)
A local user can be impersonated when using federated authentication with Silent JIT Provisioning.

When the "Silent Just-In-Time Provisioning" feature is enabled for a federated identity provider (IDP) there is a risk that a local user store user's information may be replaced during the account provisioning process in cases where federated users share the same username as local users. There will be no impact on your deployment if any of the preconditions mentioned below are not met. Only when all the preconditions mentioned below are fulfilled could a malicious actor associate a targeted local user account with a federated IDP user account that they control. The Deployment should have: -An IDP configured for federated authentication with Silent JIT provisioning enabled. The malicious actor should have: -A fresh valid user account in the federated IDP that has not been used earlier. -Knowledge of the username of a valid user in the local IDP. -An account at the federated IDP matching the targeted local username.

Affected Products
Vendor
WSO2 LLCWSO2
Product
WSO2 API Manager
Default Status
unaffected
Versions
Affected
  • From 4.2.0 before 4.2.0.108 (custom)
Vendor
WSO2 LLCWSO2
Product
WSO2 Identity Server
Default Status
unaffected
Versions
Affected
  • From 6.0.0 before 6.0.0.171 (custom)
  • From 6.1.0 before 6.1.0.128 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-290CWE-290 Authentication Bypass by Spoofing
Type: CWE
CWE ID: CWE-290
Description: CWE-290 Authentication Bypass by Spoofing
Metrics
VersionBase scoreBase severityVector
3.17.7HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
Version: 3.1
Base score: 7.7
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3144/#solution

Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3144/
vendor-advisory
Hyperlink: https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3144/
Resource:
vendor-advisory
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:ed10eef1-636d-4fbe-9993-6890dfa878f8
Published At:24 Feb, 2026 | 09:16
Updated At:24 Feb, 2026 | 14:13

When the "Silent Just-In-Time Provisioning" feature is enabled for a federated identity provider (IDP) there is a risk that a local user store user's information may be replaced during the account provisioning process in cases where federated users share the same username as local users. There will be no impact on your deployment if any of the preconditions mentioned below are not met. Only when all the preconditions mentioned below are fulfilled could a malicious actor associate a targeted local user account with a federated IDP user account that they control. The Deployment should have: -An IDP configured for federated authentication with Silent JIT provisioning enabled. The malicious actor should have: -A fresh valid user account in the federated IDP that has not been used earlier. -Knowledge of the username of a valid user in the local IDP. -An account at the federated IDP matching the targeted local username.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.17.7HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
Type: Secondary
Version: 3.1
Base score: 7.7
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-290Secondaryed10eef1-636d-4fbe-9993-6890dfa878f8
CWE ID: CWE-290
Type: Secondary
Source: ed10eef1-636d-4fbe-9993-6890dfa878f8
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3144/ed10eef1-636d-4fbe-9993-6890dfa878f8
N/A
Hyperlink: https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3144/
Source: ed10eef1-636d-4fbe-9993-6890dfa878f8
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

1Records found
CVE-2025-5605
Matching Score-6
Assigner-WSO2 LLC
ShareView Details
Matching Score-6
Assigner-WSO2 LLC
CVSS Score-4.3||MEDIUM
EPSS-5.96% / 90.53%
||
7 Day CHG-0.72%
Published-24 Oct, 2025 | 10:09
Updated-21 Nov, 2025 | 14:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Authentication Bypass via URI Manipulation in Multiple WSO2 Products' Management Console Leading to Partial Information Disclosure

An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access to the console can manipulate the request URI to bypass authentication and access certain restricted resources, resulting in partial information disclosure. The known exposure from this issue is limited to memory statistics. While the vulnerability does not allow full account compromise, it still enables unauthorized access to internal system details.

Action-Not Available
Vendor-WSO2 LLC
Product-identity_serveropen_banking_amuniversal_gatewayenterprise_integratorapi_manageridentity_server_as_key_manageropen_banking_iamtraffic_managerapi_control_planeWSO2 Open Banking AMorg.wso2.carbon:org.wso2.carbon.uiWSO2 Traffic ManagerWSO2 Open Banking IAMWSO2 Identity ServerWSO2 API Control PlaneWSO2 Identity Server as Key ManagerWSO2 Universal GatewayWSO2 API ManagerWSO2 Enterprise Integrator
CWE ID-CWE-290
Authentication Bypass by Spoofing
Details not found