CVE-2024-1524 is an authentication bypass vulnerability classified under CWE-290 affecting WSO2 API Manager version 4.2.0. The issue arises when the Silent Just-In-Time Provisioning feature is enabled for federated identity providers. This feature automatically provisions user accounts from federated IDPs into the local user store upon authentication. However, if a federated user account shares the same username as an existing local user, the provisioning process can overwrite or replace the local user's information with that of the federated user. This creates a risk where a malicious actor controlling a fresh federated IDP account with a username matching a local user can associate their federated identity with the local user account. The attack does not require prior privileges or user interaction but depends on the attacker knowing a valid local username and having a fresh federated account. The vulnerability impacts confidentiality and integrity by allowing unauthorized access and potential data manipulation under the guise of a legitimate local user. The CVSS v3.1 base score is 7.7, reflecting network attack vector, high complexity, no privileges required, no user interaction, and high impact on confidentiality and integrity with low impact on availability. No patches or exploits are currently known. This vulnerability specifically affects deployments with federated authentication configured and Silent JIT provisioning enabled, making it a targeted but serious risk for affected organizations.

The primary impact of CVE-2024-1524 is unauthorized access to local user accounts through identity spoofing, which compromises confidentiality and integrity of sensitive data and systems managed by WSO2 API Manager. Attackers can impersonate legitimate users, potentially gaining access to APIs, backend services, and sensitive business logic protected by the API Manager. This can lead to data breaches, unauthorized transactions, and disruption of trust in federated authentication mechanisms. Although availability impact is low, the breach of trust and data integrity can have severe operational and reputational consequences. Organizations relying on federated identity providers with Silent JIT provisioning enabled are at risk, especially if usernames are predictable or publicly known. The vulnerability could be exploited in targeted attacks against enterprises, government agencies, and service providers using WSO2 API Manager for API governance and security.

To mitigate this vulnerability, organizations should first assess whether Silent Just-In-Time Provisioning is enabled for federated IDPs in their WSO2 API Manager deployments. If enabled, consider disabling this feature temporarily until a vendor patch is available. Implement strict username uniqueness policies across local and federated user stores to prevent username collisions. Employ monitoring and alerting for unusual provisioning activities or account changes. Use strong identity governance and access management controls to detect and block suspicious federated account creations matching local usernames. Additionally, restrict knowledge of valid local usernames by limiting information disclosure through error messages or user enumeration vectors. Engage with WSO2 for updates and patches addressing this issue and apply them promptly once released. Consider multi-factor authentication and additional verification steps for federated users to reduce risk. Finally, conduct regular security audits and penetration testing focusing on federated authentication flows.