CVE-2024-6914

Опубликовано: 22 мая 2025

Источник: nvd

CVSS3: 9.8

EPSS Низкий

Описание

This vulnerability is exploitable only through the account recovery SOAP admin services exposed via the "/services" context path in affected products. The impact may be reduced if access to these endpoints has been restricted based on the "Security Guidelines for Production Deployment" by disabling exposure to untrusted networks.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:wso2:api_manager:2.2.0:*:*:*:*:*:*:*

cpe:2.3:a:wso2:api_manager:2.5.0:*:*:*:*:*:*:*

cpe:2.3:a:wso2:api_manager:2.6.0:*:*:*:*:*:*:*

cpe:2.3:a:wso2:api_manager:3.0.0:*:*:*:*:*:*:*

cpe:2.3:a:wso2:api_manager:3.1.0:*:*:*:*:*:*:*

cpe:2.3:a:wso2:api_manager:3.2.0:*:*:*:*:*:*:*

cpe:2.3:a:wso2:api_manager:3.2.1:*:*:*:*:*:*:*

cpe:2.3:a:wso2:api_manager:4.0.0:*:*:*:*:*:*:*

cpe:2.3:a:wso2:api_manager:4.1.0:-:*:*:*:*:*:*

cpe:2.3:a:wso2:api_manager:4.2.0:-:*:*:*:*:*:*

cpe:2.3:a:wso2:api_manager:4.3.0:-:*:*:*:*:*:*

cpe:2.3:a:wso2:identity_server:5.3.0:*:*:*:*:*:*:*

cpe:2.3:a:wso2:identity_server:5.4.0:*:*:*:*:*:*:*

cpe:2.3:a:wso2:identity_server:5.4.1:*:*:*:*:*:*:*

cpe:2.3:a:wso2:identity_server:5.5.0:*:*:*:*:*:*:*

cpe:2.3:a:wso2:identity_server:5.6.0:*:*:*:*:*:*:*

cpe:2.3:a:wso2:identity_server:5.7.0:*:*:*:*:*:*:*

cpe:2.3:a:wso2:identity_server:5.8.0:*:*:*:*:*:*:*

cpe:2.3:a:wso2:identity_server:5.9.0:*:*:*:*:*:*:*

cpe:2.3:a:wso2:identity_server:5.10.0:*:*:*:*:*:*:*

cpe:2.3:a:wso2:identity_server:5.11.0:*:*:*:*:*:*:*

cpe:2.3:a:wso2:identity_server:6.0.0:*:*:*:*:*:*:*

cpe:2.3:a:wso2:identity_server:6.1.0:*:*:*:*:*:*:*

cpe:2.3:a:wso2:identity_server:7.0.0:*:*:*:*:*:*:*

cpe:2.3:a:wso2:identity_server_as_key_manager:5.3.0:*:*:*:*:*:*:*

cpe:2.3:a:wso2:identity_server_as_key_manager:5.5.0:*:*:*:*:*:*:*

cpe:2.3:a:wso2:identity_server_as_key_manager:5.6.0:*:*:*:*:*:*:*

cpe:2.3:a:wso2:identity_server_as_key_manager:5.7.0:*:*:*:*:*:*:*

cpe:2.3:a:wso2:identity_server_as_key_manager:5.9.0:*:*:*:*:*:*:*

cpe:2.3:a:wso2:identity_server_as_key_manager:5.10.0:*:*:*:*:*:*:*

cpe:2.3:a:wso2:open_banking_am:1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:wso2:open_banking_am:1.4.0:*:*:*:*:*:*:*

cpe:2.3:a:wso2:open_banking_am:1.5.0:*:*:*:*:*:*:*

cpe:2.3:a:wso2:open_banking_am:2.0.0:*:*:*:*:*:*:*

cpe:2.3:a:wso2:open_banking_iam:2.0.0:*:*:*:*:*:*:*

cpe:2.3:a:wso2:open_banking_km:1.3.0:*:*:*:*:*:*:*

cpe:2.3:a:wso2:open_banking_km:1.4.0:*:*:*:*:*:*:*

cpe:2.3:a:wso2:open_banking_km:1.5.0:*:*:*:*:*:*:*

EPSS

Процентиль: 33%

0.00131

Низкий

9.8 Critical

CVSS3

Дефекты

CWE-863

Связанные уязвимости

GHSA-hqgr-xf2j-75r5

CVSS3: 9.8

github

9 месяцев назад

An incorrect authorization vulnerability exists in multiple WSO2 products due to a business logic flaw in the account recovery-related SOAP admin service. A malicious actor can exploit this vulnerability to reset the password of any user account, leading to a complete account takeover, including accounts with elevated privileges. This vulnerability is exploitable only through the account recovery SOAP admin services exposed via the "/services" context path in affected products. The impact may be reduced if access to these endpoints has been restricted based on the "Security Guidelines for Production Deployment" by disabling exposure to untrusted networks.

EPSS

Процентиль: 33%

0.00131

Низкий

9.8 Critical

CVSS3

Дефекты

CWE-863