CVE-2020-24703

Source
https://cve.org/CVERecord?id=CVE-2020-24703
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-24703.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2020-24703
Published
2020-08-27T16:15:11.583Z
Modified
2026-07-08T05:55:55.485379429Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-controlled server if the victim submits a crafted Try It request, aka Session Hijacking. This affects API Manager 2.2.0, API Manager Analytics 2.2.0, API Microgateway 2.2.0, Data Analytics Server 3.2.0, Enterprise Integrator through 6.6.0, IS as Key Manager 5.5.0, Identity Server 5.5.0 and 5.8.0, Identity Server Analytics 5.5.0, and IoT Server 3.3.0 and 3.3.1.

Database specific
{
    "unresolved_ranges": [
        {
            "source": "CPE_STRING",
            "vendor_product": "wso2:api_microgateway",
            "extracted_events": [
                {
                    "introduced": "2.2.0"
                },
                {
                    "last_affected": "2.2.0"
                }
            ],
            "cpes": [
                "cpe:2.3:a:wso2:api_microgateway:2.2.0:*:*:*:*:*:*:*"
            ]
        },
        {
            "source": "CPE_STRING",
            "vendor_product": "wso2:data_analytics_server",
            "extracted_events": [
                {
                    "introduced": "3.2.0"
                },
                {
                    "last_affected": "3.2.0"
                }
            ],
            "cpes": [
                "cpe:2.3:a:wso2:data_analytics_server:3.2.0:*:*:*:*:*:*:*"
            ]
        },
        {
            "source": "CPE_STRING",
            "vendor_product": "wso2:identity_server",
            "extracted_events": [
                {
                    "introduced": "5.5.0"
                },
                {
                    "last_affected": "5.5.0"
                },
                {
                    "introduced": "5.8.0"
                },
                {
                    "last_affected": "5.8.0"
                }
            ],
            "cpes": [
                "cpe:2.3:a:wso2:identity_server:5.5.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:wso2:identity_server:5.8.0:*:*:*:*:*:*:*"
            ]
        },
        {
            "source": "CPE_STRING",
            "vendor_product": "wso2:identity_server_analytics",
            "extracted_events": [
                {
                    "introduced": "5.5.0"
                },
                {
                    "last_affected": "5.5.0"
                }
            ],
            "cpes": [
                "cpe:2.3:a:wso2:identity_server_analytics:5.5.0:*:*:*:*:*:*:*"
            ]
        },
        {
            "source": "CPE_STRING",
            "vendor_product": "wso2:identity_server_as_key_manager",
            "extracted_events": [
                {
                    "introduced": "5.5.0"
                },
                {
                    "last_affected": "5.5.0"
                }
            ],
            "cpes": [
                "cpe:2.3:a:wso2:identity_server_as_key_manager:5.5.0:*:*:*:*:*:*:*"
            ]
        },
        {
            "source": "CPE_STRING",
            "vendor_product": "wso2:iot_server",
            "extracted_events": [
                {
                    "introduced": "3.3.0"
                },
                {
                    "last_affected": "3.3.0"
                },
                {
                    "introduced": "3.3.1"
                },
                {
                    "last_affected": "3.3.1"
                }
            ],
            "cpes": [
                "cpe:2.3:a:wso2:iot_server:3.3.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:wso2:iot_server:3.3.1:*:*:*:*:*:*:*"
            ]
        }
    ]
}
References

Affected packages

Git
github.com/wso2/analytics-apim

Affected ranges

Type
GIT
Repo
https://github.com/wso2/analytics-apim
Events
Database specific
{
    "source": "CPE_STRING",
    "cpe": "cpe:2.3:a:wso2:api_manager_analytics:2.2.0:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "2.2.0"
        },
        {
            "last_affected": "2.2.0"
        }
    ]
}

Affected versions

2.*
2.2.0
v2.*
v2.2.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-24703.json"
github.com/wso2/product-apim

Affected ranges

Type
GIT
Repo
https://github.com/wso2/product-apim
Events
Database specific
{
    "source": "CPE_STRING",
    "cpe": "cpe:2.3:a:wso2:api_manager:2.2.0:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "2.2.0"
        },
        {
            "last_affected": "2.2.0"
        }
    ]
}

Affected versions

2.*
2.2.0
v2.*
v2.2.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-24703.json"
github.com/wso2/product-ei

Affected ranges

Type
GIT
Repo
https://github.com/wso2/product-ei
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Database specific
{
    "source": "CPE_RANGE",
    "cpe": "cpe:2.3:a:wso2:enterprise_integrator:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "6.6.0"
        }
    ]
}

Affected versions

v6.*
v6.0.0-m1
v6.1.1-update10
v6.1.1-update11
v6.1.1-update12
v6.1.1-update13
v6.1.1-update14
v6.1.1-update15
v6.1.1-update16
v6.1.1-update17
v6.1.1-update18
v6.1.1-update19
v6.1.1-update20
v6.1.1-update21
v6.1.1-update22
v6.1.1-update23
v6.1.1-update24
v6.1.1-update8
v6.1.1-update9
v6.2.0
v6.2.0-rc1
v6.2.0-rc2
v6.3.0
v6.3.0-m1
v6.3.0-m10
v6.3.0-m11
v6.3.0-m2
v6.3.0-m3
v6.3.0-m4
v6.3.0-m5
v6.3.0-m6
v6.3.0-m7
v6.3.0-m8
v6.3.0-m9
v6.3.0-rc1
v6.3.0-rc2
v6.4.0
v6.4.0-m1
v6.4.0-m2
v6.4.0-m3
v6.4.0-m4
v6.4.0-m5
v6.4.0-m6
v6.4.0-m7
v6.4.0-m8
v6.4.0-rc1
v6.5.0
v6.5.0-m1
v6.5.0-m2
v6.5.0-m3
v6.5.0-m4
v6.5.0-m6
v6.5.0-rc1
v6.6.0
v6.6.0-beta
v6.6.0-rc1
v6.6.0-rc2
v6.6.0-rc3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-24703.json"