Exploitation requires an attacker to obtain a valid refresh token of an admin user. Since refresh tokens generally have a longer expiration time, this could lead to prolonged unauthorized access to API resources, impacting data confidentiality and integrity.
Metrics
Affected Vendors & Products
Solution
Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3213/#solution https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3213/#solution
Workaround
No workaround given by the vendor.
Fri, 03 Oct 2025 16:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
CPEs | cpe:2.3:a:wso2:api_manager:4.0.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:api_manager:4.1.0:-:*:*:*:*:*:* cpe:2.3:a:wso2:api_manager:4.2.0:-:*:*:*:*:*:* cpe:2.3:a:wso2:identity_server:5.11.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:identity_server:6.0.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:identity_server:6.1.0:*:*:*:*:*:*:* |
Tue, 04 Mar 2025 03:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Thu, 27 Feb 2025 04:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | An incorrect authorization vulnerability exists in multiple WSO2 products, allowing protected APIs to be accessed directly using a refresh token instead of the expected access token. Due to improper authorization checks and token mapping, session cookies are not required for API access, potentially enabling unauthorized operations. Exploitation requires an attacker to obtain a valid refresh token of an admin user. Since refresh tokens generally have a longer expiration time, this could lead to prolonged unauthorized access to API resources, impacting data confidentiality and integrity. | |
Title | Incorrect Authorization in Multiple WSO2 Products Allows API Access via Refresh Token | |
Weaknesses | CWE-863 | |
References |
| |
Metrics |
cvssV3_1
|

Status: PUBLISHED
Assigner: WSO2
Published:
Updated: 2025-02-27T14:43:16.368Z
Reserved: 2024-03-08T10:50:05.874Z
Link: CVE-2024-2321

Updated: 2025-02-27T14:43:12.375Z

Status : Analyzed
Published: 2025-02-27T05:15:13.797
Modified: 2025-10-03T16:29:15.260
Link: CVE-2024-2321

No data.

Updated: 2025-07-13T11:13:53Z