CVE-2024-7096: 
Java vulnerability analysis and mitigation

A privilege escalation vulnerability (CVE-2024-7096) was discovered in multiple WSO2 products. The vulnerability was disclosed on November 10, 2024, and received a CVSS v3.1 score of 4.2 (Medium). The affected products include various versions of WSO2 API Manager, Identity Server, Identity Server as Key Manager, Open Banking AM, Open Banking KM, and Open Banking IAM (WSO2 Advisory).

The vulnerability stems from a business logic flaw in SOAP admin services. The issue allows potential privilege escalation when specific conditions are met: SOAP admin services must be accessible to the attacker, the deployment must include an internally used attribute not part of the default WSO2 product configuration, at least one custom role with non-default permissions must exist, and the attacker needs knowledge of both the custom role and the internal attribute used in the deployment (WSO2 Advisory).

When successfully exploited, this vulnerability enables malicious actors to assign higher privileges to self-registered users, effectively bypassing intended access control mechanisms. The impact is limited by the specific prerequisites that must be met for successful exploitation (WSO2 Advisory).

WSO2 has released patches for affected products. Commercial users should update to the specified update level or higher through WSO2 Updates. Community users are recommended to migrate to the latest version of their respective WSO2 products. If applying updates is not feasible, users should migrate to the latest unaffected version of the respective WSO2 product(s) (WSO2 Advisory).