CVE-2024-1524
Undergoing Analysis Undergoing Analysis - In Progress

BaseFortify

Vulnerability report for CVE-2024-1524, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-24

Last updated on: 2026-03-03

Assigner: WSO2 LLC

Description

When the "Silent Just-In-Time Provisioning" feature is enabled for a federated identity provider (IDP) there is a risk that a local user store user's information may be replaced during the account provisioning process in cases where federated users share the same username as local users. There will be no impact on your deployment if any of the preconditions mentioned below are not met. Only when all the preconditions mentioned below are fulfilled could a malicious actor associate a targeted local user account with a federated IDP user account that they control. The Deployment should have: -An IDP configured for federated authentication with Silent JIT provisioning enabled. The malicious actor should have: -A fresh valid user account in the federated IDP that has not been used earlier. -Knowledge of the username of a valid user in the local IDP. -An account at the federated IDP matching the targeted local username.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-24
Last Modified
2026-03-03
Generated
2026-07-06
AI Q&A
2026-02-24
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
wso2 api_manager From 4.2.0 (inc) to 4.2.0.108 (exc)
wso2 identity_server From 6.0.0 (inc) to 6.0.0.171 (exc)
wso2 identity_server From 6.1.0 (inc) to 6.1.0.128 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability occurs when the "Silent Just-In-Time Provisioning" feature is enabled for a federated identity provider (IDP). In this scenario, if a federated user shares the same username as a local user, there is a risk that the local user's information may be replaced during the account provisioning process.

The vulnerability only manifests if certain conditions are met: the deployment must have an IDP configured for federated authentication with Silent JIT provisioning enabled, and a malicious actor must have a fresh valid user account in the federated IDP, know the username of a valid local user, and have an account at the federated IDP matching that local username.

Impact Analysis

If exploited, this vulnerability can allow a malicious actor to associate a targeted local user account with a federated IDP user account they control. This means the attacker could potentially replace or overwrite the local user's information during provisioning, leading to unauthorized access or impersonation.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, ensure that the "Silent Just-In-Time Provisioning" feature is disabled unless absolutely necessary.

Verify that your deployment does not have an IDP configured for federated authentication with Silent JIT provisioning enabled.

Additionally, monitor and restrict the creation of fresh valid user accounts in the federated IDP that could match local usernames.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-1524. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart