CVE-2024-7096

EPSS 0.02%
Published 30.05.2025 14:54:32
Last modified 06.10.2025 13:58:40
Source ed10eef1-636d-4fbe-9993-6890df
Teams watchlist Login
Open Login

A privilege escalation vulnerability exists in multiple [Vendor Name] products due to a business logic flaw in SOAP admin services. A malicious actor can create a new user with elevated permissions only when all of the following conditions are met:
  *  SOAP admin services are accessible to the attacker.
  *  The deployment includes an internally used attribute that is not part of the default WSO2 product configuration.
  *  At least one custom role exists with non-default permissions.
  *  The attacker has knowledge of the custom role and the internal attribute used in the deployment.


Exploiting this vulnerability allows malicious actors to assign higher privileges to self-registered users, bypassing intended access control mechanisms.

Affected products Warnungen 0 Metrics 3 CWE 1 References 4

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Data is provided by the National Vulnerability Database (NVD)

Wso2 ≫ Api Manager Version2.0.0

Wso2 ≫ Api Manager Version2.1.0

Wso2 ≫ Api Manager Version2.2.0

Wso2 ≫ Api Manager Version2.5.0

Wso2 ≫ Api Manager Version2.6.0

Wso2 ≫ Api Manager Version3.0.0

Wso2 ≫ Api Manager Version3.1.0

Wso2 ≫ Api Manager Version3.2.0

Wso2 ≫ Api Manager Version3.2.1

Wso2 ≫ Api Manager Version4.0.0

Wso2 ≫ Api Manager Version4.1.0 Update-

Wso2 ≫ Api Manager Version4.2.0 Update-

Wso2 ≫ Api Manager Version4.3.0 Update-

Wso2 ≫ Identity Server Version5.2.0

Wso2 ≫ Identity Server Version5.3.0

Wso2 ≫ Identity Server Version5.4.0

Wso2 ≫ Identity Server Version5.4.1

Wso2 ≫ Identity Server Version5.5.0

Wso2 ≫ Identity Server Version5.6.0

Wso2 ≫ Identity Server Version5.7.0

Wso2 ≫ Identity Server Version5.8.0

Wso2 ≫ Identity Server Version5.9.0

Wso2 ≫ Identity Server Version5.10.0

Wso2 ≫ Identity Server Version5.11.0

Wso2 ≫ Identity Server Version6.0.0 Update-

Wso2 ≫ Identity Server Version6.1.0 Update-

Wso2 ≫ Identity Server Version7.0.0 Update-

Wso2 ≫ Identity Server As Key Manager Version5.3.0

Wso2 ≫ Identity Server As Key Manager Version5.5.0

Wso2 ≫ Identity Server As Key Manager Version5.6.0

Wso2 ≫ Identity Server As Key Manager Version5.7.0

Wso2 ≫ Identity Server As Key Manager Version5.9.0

Wso2 ≫ Identity Server As Key Manager Version5.10.0

Wso2 ≫ Open Banking Am Version1.3.0

Wso2 ≫ Open Banking Am Version1.4.0

Wso2 ≫ Open Banking Am Version1.5.0

Wso2 ≫ Open Banking Am Version2.0.0

Wso2 ≫ Open Banking Iam Version2.0.0

Wso2 ≫ Open Banking Km Version1.3.0

Wso2 ≫ Open Banking Km Version1.4.0

Wso2 ≫ Open Banking Km Version1.5.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.02%	0.051

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	5.4	2.8	2.5	CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
ed10eef1-636d-4fbe-9993-6890dfa878f8	4.2	1.6	2.5	CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3573/

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-7096

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-7096

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-7096

EUVD