{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-05T00:25:46.211","vulnerabilities":[{"cve":{"id":"CVE-2024-1524","sourceIdentifier":"ed10eef1-636d-4fbe-9993-6890dfa878f8","published":"2026-02-24T09:16:11.700","lastModified":"2026-03-03T00:32:34.177","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"When the \"Silent Just-In-Time Provisioning\" feature is enabled for a federated identity provider (IDP)  there is a risk that a local user store user's information may be replaced during the account provisioning process in cases where federated users share the same username as local users. \n\n There will be no impact on your deployment if any of the preconditions mentioned below are not met. Only when all the preconditions mentioned below are fulfilled could a malicious actor associate a targeted local user account with a federated IDP user account that they control.\n\nThe Deployment should have: \n-An IDP configured for federated authentication with Silent JIT provisioning enabled.\n\nThe malicious actor should have:\n-A fresh valid user account in the federated IDP that has not been used earlier.\n-Knowledge of the username of a valid user in the local IDP. \n-An account at the federated IDP matching the targeted local username."},{"lang":"es","value":"Cuando la característica 'Aprovisionamiento Silencioso Justo a Tiempo' está habilitada para un proveedor de identidad federado (IDP), existe un riesgo de que la información de un usuario del almacén de usuarios local pueda ser reemplazada durante el proceso de aprovisionamiento de cuentas en casos donde los usuarios federados comparten el mismo nombre de usuario que los usuarios locales.\n\nNo habrá impacto en su despliegue si alguna de las precondiciones mencionadas a continuación no se cumple. Solo cuando todas las precondiciones mencionadas a continuación se cumplan, podría un actor malicioso asociar una cuenta de usuario local objetivo con una cuenta de usuario de IDP federado que ellos controlan.\n\nEl despliegue debería tener:\n-Un IDP configurado para autenticación federada con aprovisionamiento JIT silencioso habilitado.\n\nEl actor malicioso debería tener:\n-Una cuenta de usuario válida y nueva en el IDP federado que no haya sido utilizada anteriormente.\n-Conocimiento del nombre de usuario de un usuario válido en el IDP local.\n-Una cuenta en el IDP federado que coincida con el nombre de usuario local objetivo."}],"metrics":{"cvssMetricV31":[{"source":"ed10eef1-636d-4fbe-9993-6890dfa878f8","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L","baseScore":7.7,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"LOW"},"exploitabilityScore":2.2,"impactScore":5.5},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","baseScore":8.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.2,"impactScore":5.9}]},"weaknesses":[{"source":"ed10eef1-636d-4fbe-9993-6890dfa878f8","type":"Secondary","description":[{"lang":"en","value":"CWE-290"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*","versionStartIncluding":"4.2.0","versionEndExcluding":"4.2.0.108","matchCriteriaId":"34356A76-A7CF-4B29-B868-F30394F9F389"},{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:identity_server:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0.0","versionEndExcluding":"6.0.0.171","matchCriteriaId":"7DDF5D0E-D8BB-4BFE-9506-4D683AE1E0F5"},{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:identity_server:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.0","versionEndExcluding":"6.1.0.128","matchCriteriaId":"BF5E20C2-3317-4671-B66D-7437656A2AD6"}]}]}],"references":[{"url":"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3144/","source":"ed10eef1-636d-4fbe-9993-6890dfa878f8","tags":["Broken Link"]}]}}]}