High severity8.5NVD Advisory· Published Dec 15, 2023· Updated Jun 17, 2026
CVE-2023-6837
CVE-2023-6837
Description
Multiple WSO2 products have been identified as vulnerable to perform user impersonatoin using JIT provisioning. In order for this vulnerability to have any impact on your deployment, following conditions must be met:
- An IDP configured for federated authentication and JIT provisioning enabled with the "Prompt for username, password and consent" option.
- A service provider that uses the above IDP for federated authentication and has the "Assert identity using mapped local subject identifier" flag enabled.
Attacker should have:
- A fresh valid user account in the federated IDP that has not been used earlier.
- Knowledge of the username of a valid user in the local IDP.
When all preconditions are met, a malicious actor could use JIT provisioning flow to perform user impersonation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.authentication.frameworkMaven | < 5.20.254 | 5.20.254 |
org.wso2.identity.apps:authentication-portalMaven | < 1.6.179.1 | 1.6.179.1 |
Affected products
6- ghsa-coords2 versionspkg:maven/org.wso2.carbon.identity.framework/org.wso2.carbon.identity.application.authentication.frameworkpkg:maven/org.wso2.identity.apps/authentication-portal
< 5.20.254+ 1 more
- (no CPE)range: < 5.20.254
- (no CPE)range: < 1.6.179.1
- WSO2/WSO2 API Managerv5Range: 2.5.0
- WSO2/WSO2 Carbon Identity Application Authentication Frameworkv5Range: 5.11.256
- WSO2/WSO2 Identity Serverv5Range: 5.6.0
- WSO2/WSO2 Identity Server as Key Managerv5Range: 5.6.0
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-f6jm-9pr8-9c3wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-6837ghsaADVISORY
- security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1573/nvdVendor Advisory
- github.com/wso2/carbon-identity-framework/commit/fdab609760784086b8a3f55f7acf46d977a03d79ghsaWEB
- github.com/wso2/identity-apps/commit/1424203bbe81688d661ea8b8cd28e332302e1c53ghsaWEB
- security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1573ghsaWEB
News mentions
0No linked articles in our index yet.