CVE-2024-1524
📋 TL;DR
This vulnerability allows a malicious actor to take over local user accounts when federated authentication with Silent Just-In-Time Provisioning is enabled. An attacker can associate a targeted local user account with a federated IDP account they control if they know the local username and create a matching federated account. Organizations using WSO2 identity servers with federated authentication and Silent JIT provisioning are affected.
💻 Affected Systems
- WSO2 Identity Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover of privileged local user accounts, allowing unauthorized access to sensitive systems and data.
Likely Case
Unauthorized access to standard user accounts, potentially leading to data exposure or privilege escalation.
If Mitigated
No impact if Silent JIT provisioning is disabled or proper user mapping controls are in place.
🎯 Exploit Status
Requires valid federated IDP account, knowledge of local username, and specific configuration conditions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not specified in provided reference, check WSO2-2024-3144 advisory
Vendor Advisory: https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3144/
Restart Required: Yes
Instructions:
1. Review WSO2-2024-3144 advisory for specific patch version. 2. Apply the security patch from WSO2. 3. Restart the Identity Server. 4. Verify the fix is applied.
🔧 Temporary Workarounds
Disable Silent JIT Provisioning
allTemporarily disable the Silent Just-In-Time Provisioning feature for federated identity providers.
Modify identity-provider.xml configuration to set <SilentJITProvisioningEnabled>false</SilentJITProvisioningEnabled>
Implement Unique Username Policies
allEnsure local and federated usernames don't overlap by using different naming conventions.
Configure username policies to prefix local users (e.g., 'local_username') and federated users (e.g., 'fed_username')
🧯 If You Can't Patch
- Disable Silent JIT provisioning for all federated identity providers immediately.
- Implement monitoring for unusual account provisioning events and review user account associations regularly.
🔍 How to Verify
Check if Vulnerable:
Check if Silent JIT provisioning is enabled in federated IDP configurations and verify if local/federated username collisions exist.Check Version:
Check WSO2 Identity Server version through management console or server logs.Verify Fix Applied:
After patching, verify that local user accounts cannot be associated with federated accounts sharing the same username.📡 Detection & Monitoring
Log Indicators:
- Unexpected user account provisioning events
- Local user accounts being modified during federated authentication
- Multiple failed authentication attempts followed by successful provisioning
Network Indicators:
- Unusual authentication patterns from federated IDP sources
- Increased authentication traffic to specific user accounts
SIEM Query:
Authentication logs where local_user_modified=true AND auth_source=federated_idp