What is CVE-2023-6837?

CVE-2023-6837 is a high-severity vulnerability in Wso2 Api Manager, classified under Incorrect Authorization. CVSS score: 8.5/10. Published 2023-12-15.

How severe is CVE-2023-6837?

High severity. CVSS v3 base score is 8.5 out of 10.

Is CVE-2023-6837 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Auth bypass in Wso2 Api Manager

CVE-2023-6837

Multiple WSO2 products have been identified as vulnerable to perform user impersonatoin using JIT provisioning. In order for this vulnerability to have any impact on your deployment, following conditions must be met: * An IDP configure…

Vulnerability class: Broken Access Control

EPSS: 0.003 (55.0th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 8.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N.

Affected products

Wso2 Api Manager — versions 0, 2.5.0, 2.6.0
Wso2 Carbon Identity Application Authentication Framework — versions 5.11.256, 5.12.153, 5.12.387
Wso2 Identity Server — versions 0, 5.6.0, 5.7.0
Wso2 Identity Server As Key Manager — versions 0, 5.6.0, 5.7.0

Weakness classification (CWE)

CWE-863 — Incorrect Authorization

Public proof-of-concept exploits

fkie-cad/nvd-json-data-feeds

References

security.docs.wso2.com/en/latest/security-announcements/security-advisories/202… (vendor-advisory)

Frequently asked questions

What is CVE-2023-6837?: CVE-2023-6837 is a high-severity vulnerability in Wso2 Api Manager, classified under Incorrect Authorization. CVSS score: 8.5/10. Published 2023-12-15.
How severe is CVE-2023-6837?: High severity. CVSS v3 base score is 8.5 out of 10.
Is CVE-2023-6837 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.