Vulnerabilities > CVE-2020-24705 - Unspecified vulnerability in Wso2 products

CVSS 8.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

wso2

NVD

Published: 2020-08-27

Updated: 2024-01-11

Summary

An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager through 3.1.0, API Manager Analytics 2.5.0, IS as Key Manager through 5.10.0, Identity Server through 5.10.0, Identity Server Analytics through 5.6.0, and IoT Server 3.1.0.

Vulnerable Configurations

Part	Description	Count
Application	Wso2 Wso2 Identity Server Analytics - Wso2 Identity Server Analytics 5.4.0 Wso2 Identity Server Analytics 5.4.1 Wso2 Identity Server Analytics 5.5.0 Wso2 Identity Server Analytics 5.6.0 Wso2 Identity Server AS KEY Manager - Wso2 Identity Server AS KEY Manager 1.9.0 Wso2 Identity Server AS KEY Manager 1.9.1 Wso2 Identity Server AS KEY Manager 1.10.0 Wso2 Identity Server AS KEY Manager 2.0.0 Wso2 Identity Server AS KEY Manager 2.1.0 Wso2 Identity Server AS KEY Manager 2.2.0 Wso2 Identity Server AS KEY Manager 2.5.0 Wso2 Identity Server AS KEY Manager 2.6.0 Wso2 Identity Server AS KEY Manager 3.0.0 Wso2 Identity Server AS KEY Manager 3.1.0 Wso2 Identity Server AS KEY Manager 5.0.0 Wso2 Identity Server AS KEY Manager 5.1.0 Wso2 Identity Server AS KEY Manager 5.2.0 Wso2 Identity Server AS KEY Manager 5.3.0 Wso2 Identity Server AS KEY Manager 5.4.0 Wso2 Identity Server AS KEY Manager 5.4.1 Wso2 Identity Server AS KEY Manager 5.5.0 Wso2 Identity Server AS KEY Manager 5.6.0 Wso2 Identity Server AS KEY Manager 5.7.0 Wso2 Identity Server AS KEY Manager 5.8.0 Wso2 Identity Server AS KEY Manager 5.9.0 Wso2 Identity Server AS KEY Manager 5.10.0 Wso2 Identity Server 1.5.0 Wso2 Identity Server 2.0.0 Wso2 Identity Server 2.0.1 Wso2 Identity Server 2.0.2 Wso2 Identity Server 2.0.3 Wso2 Identity Server 3.0.0 Wso2 Identity Server 3.0.1 Wso2 Identity Server 3.2.0 Wso2 Identity Server 3.2.2 Wso2 Identity Server 3.2.3 Wso2 Identity Server 4.0.0 Wso2 Identity Server 4.1.0 Wso2 Identity Server 4.5.0 Wso2 Identity Server 4.6.0 Wso2 Identity Server 5.0.0 Wso2 Identity Server 5.1.0 Wso2 Identity Server 5.2.0 Wso2 Identity Server 5.3.0 Wso2 Identity Server 5.4.0 Wso2 Identity Server 5.4.1 Wso2 Identity Server 5.5.0 Wso2 Identity Server 5.6.0 Wso2 Identity Server 5.7.0 Wso2 Identity Server 5.8.0 Wso2 Identity Server 5.9.0 Wso2 Identity Server 5.10.0 Wso2 API Manager - Wso2 API Manager 1.0.0 Wso2 API Manager 1.1.1 Wso2 API Manager 1.2.0 Wso2 API Manager 1.3.0 Wso2 API Manager 1.3.1 Wso2 API Manager 1.4.0 Wso2 API Manager 1.5.0 Wso2 API Manager 1.6.0 Wso2 API Manager 1.7.0 Wso2 API Manager 1.8.0 Wso2 API Manager 1.9.0 Wso2 API Manager 1.9.1 Wso2 API Manager 1.10.0 Wso2 API Manager 2.0.0 Wso2 API Manager 2.1.0 Wso2 API Manager 2.2.0 Wso2 API Manager 2.5.0 Wso2 API Manager 2.6.0 Wso2 API Manager 3.0.0 Wso2 API Manager 3.1.0 Wso2 API Manager Analytics 2.5.0 Wso2 IOT Server 3.1.0	77

References

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2020/WSO2-2020-0718/