CVE-2024-0391

The vulnerability resides in the check user account lock states feature within the email OTP flow of WSO2 Identity Server, Identity Server as Key Manager, and Open Banking IAM. Due to the absence of input validation, a remote attacker can determine whether a given username corresponds to a registered account by observing the response from this feature [1].

An attacker can exploit this without authentication by sending crafted requests to the email OTP endpoint. The feature does not properly validate the user input, allowing the attacker to infer the existence of valid usernames based on the system's response. No special network position is required beyond standard internet access [1].

Successful exploitation yields a list of valid usernames, which significantly increases the risk of brute-force attacks and targeted social engineering campaigns. Attackers can use this information to craft phishing emails or other malicious activities aimed at tricking users into divulging sensitive data. This can lead to reputational damage, loss of customer trust, regulatory non-compliance, and financial consequences [1].

WSO2 has addressed this issue by releasing fixes for the affected product versions. Users are advised to apply the relevant fix from the provided GitHub pull request or upgrade to the latest unaffected version of the respective product. For support subscription holders, updating to the specified update levels will mitigate the vulnerability [1].