CVE-2023-6837: 
Java vulnerability analysis and mitigation

Multiple WSO2 products have been identified as vulnerable to user impersonation using JIT (Just-In-Time) provisioning. The vulnerability (CVE-2023-6837) was disclosed in December 2023 and affects various versions of WSO2 API Manager, Identity Server, and IS as Key Manager products (WSO2 Advisory).

The vulnerability requires specific conditions to be exploited: an IDP must be configured for federated authentication with JIT provisioning enabled using the 'Prompt for username, password and consent' option, and a service provider must use this IDP for federated authentication with the 'Assert identity using mapped local subject identifier' flag enabled. The vulnerability has received a CVSS v3.1 base score of 8.2 HIGH (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N) according to NVD assessment (NVD).

When the preconditions are met, a malicious actor with a fresh valid user account in the federated IDP and knowledge of a valid local IDP username could perform user impersonation. The attacker could associate a targeted local user account with a federated IDP user account under their control (WSO2 Advisory).

WSO2 has released patches for affected products. Users can either upgrade to the latest version if it's not listed as affected, or apply specific fixes through public patches. For backward compatibility, specific configurations can be added to the deployment.toml or identity.xml files. WSO2 subscription holders should update their products to specified update levels or higher. The exact update levels vary by product version and are detailed in the advisory (WSO2 Advisory).