CVE-2024-1248
Received Received - Intake

Privilege Escalation via JIT Provisioning in Federated Authentication

Vulnerability report for CVE-2024-1248, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-04

Last updated on: 2026-07-04

Assigner: WSO2 LLC

Description

The silent Just-In-Time (JIT) provisioning feature in federated authentication implementations fails to properly segregate user roles during account creation when a federated user shares a username with a local user. This allows the provisioning process to overwrite existing roles of local users with roles assigned to the federated user. Exploitation requires a federated identity provider (IDP) with silent JIT provisioning enabled and an attacker's knowledge of a local user's username. When these conditions are met, a malicious individual can leverage the JIT provisioning process to modify the roles of local users. The overwritten roles are limited to those defined within the federated IDP, typically granting minimal access rights unless explicitly configured otherwise by the federated IDP administrator.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-04
Last Modified
2026-07-04
Generated
2026-07-05
AI Q&A
2026-07-05
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-298 A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability involves the silent Just-In-Time (JIT) provisioning feature used in federated authentication systems. When a federated user shares the same username as a local user, the JIT provisioning process can overwrite the existing roles of the local user with the roles assigned to the federated user. This happens because the system fails to properly segregate user roles during account creation.

Exploitation requires that the federated identity provider (IDP) has silent JIT provisioning enabled and that the attacker knows the username of a local user. Under these conditions, an attacker can manipulate the provisioning process to change the roles of local users.

The roles overwritten are limited to those defined by the federated IDP, which usually grant minimal access rights unless the federated IDP administrator has configured them otherwise.

Impact Analysis

This vulnerability can impact you by allowing an attacker to modify the roles of local users in your system if they know a local username and the federated IDP uses silent JIT provisioning. This could lead to unauthorized changes in user permissions.

Although the overwritten roles are typically limited to minimal access rights, if the federated IDP administrator has configured roles with higher privileges, an attacker could potentially escalate privileges or disrupt normal access controls.

The CVSS score of 4.8 indicates a moderate severity, reflecting that the vulnerability requires network access with high attack complexity and no privileges or user interaction, and impacts integrity and availability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-1248. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart