Incorrect Authorization Affecting org.wso2.am:am-parent package, versions [4.0.0-beta,]


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.22% (13th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JAVA-ORGWSO2AM-9296376
  • published6 Mar 2025
  • disclosed27 Feb 2025
  • creditUnknown

Introduced: 27 Feb 2025

CVE-2024-2321  (opens in a new tab)
CWE-863  (opens in a new tab)

How to fix?

There is no fixed version for org.wso2.am:am-parent.

Overview

org.wso2.am:am-parent is a WSO2 API Manager - Aggregator Module

Affected versions of this package are vulnerable to Incorrect Authorization that allows an attacker in possession of a valid admin refresh token to gain unauthorized access to API resources by using a refresh token instead of the expected access token.

Note: This vulnerability has been patched in API Manager 4.0.0 patch 275, 4.1.0 patch 153, and 4.2.0 patch 83; and Identity Server 5.11.0 patch 326, 6.0.0 patch 172, and 6.1.0 patch 130.

CVSS Base Scores

version 4.0
version 3.1