CVE-2024-7097: Incorrect Authorization in Multiple WSO2 Products via SOAP Admin Service Allowing Unauthorized User Signup

4.3 CVSS

Description

An incorrect authorization vulnerability exists in multiple WSO2 products due to a flaw in the SOAP admin service, which allows user account creation regardless of the self-registration configuration settings. This vulnerability enables malicious actors to create new user accounts without proper authorization.

Exploitation of this flaw could allow an attacker to create multiple low-privileged user accounts, gaining unauthorized access to the system. Additionally, continuous exploitation could lead to system resource exhaustion through mass user creation.

Classification

CVE ID: CVE-2024-7097

CVSS Base Severity: MEDIUM

CVSS Base Score: 4.3

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Affected Products

Vendor: WSO2

Product: WSO2 Open Banking AM, WSO2 Open Banking KM, WSO2 Identity Server as Key Manager, WSO2 API Manager, WSO2 Identity Server, WSO2 Open Banking IAM, WSO2 Enterprise Mobility Manager

Nuclei Template

http/cves/2024/CVE-2024-7097.yaml

References

https://nvd.nist.gov/vuln/detail/CVE-2024-7097
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3574/

Timeline

2025-05-30 16:40:11 UTC
CVE

Incorrect Authorization in Multiple WSO2 Products via SOAP Admin Service Allowing Unauthorized User Signup