CVE-2020-14446: Open Redirect in WSO2 Identity Server

01/Description

What this actually is.

Technical background, root cause, and affected surface.

Client-side open redirect arises when an application incorporates user-controllable data into the target of a redirection in an unsafe way. XSS payload is allowed to redirect the user to the external domain in the product WSO2 Identity Server version 5.9.0.

*Affected Products: WSO2 IS as Key Manager 5.9.0 or earlier, WSO2 Identity Server 5.9.0 or earlier

Vendor: WSO2
Affected Product: See Full List Below*
CVE: CVE-2020-14446
Securin ID: 2020-CSW-06-1044
Status: Fixed
Date: February 10, 2020
Severity: Medium
CVSS Score: 6.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-601

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

ScopeChanged

ImpactC:L / I:L / A:N

SeverityMedium

The following vulnerability was tested on WSO2 Identity Server Manager version 5.9.0 Product.

PoC · Exploitation Steps▲ trigger

01Issue 01: Client-side URL Redirection.02Figure 01: Navigating to the Policy Administration and Clicking the Add New Entitlement Policy Link.03Figure 02: Clicking the Write Policy in XML opens the URL and Editor.04Figure 03: Entering the domain http://evil.com in the variable CallbackURL.05Figure 04: Entered domain saved in the DOM object and reflected in the Response body.06Figure 05: Forwarding the request and clicking the Cancel button triggers the URL navigation script and redirects to the custom entered domain.

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

An attacker can construct a URL within the application that causes a redirection to an arbitrary external domain. This behavior can be leveraged to facilitate phishing attacks against users of the application.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Download and apply the relevant fixes based on the changes from the public fix: https://github.com/wso2/carbon-identity-framework/pull/2848

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2020-14446, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Jan 31,2020

Discovered in WSO2 Identity Server Manager version 5.9.0

Feb 04, 2020

CSW conducted an Internal Review

Feb 10, 2020

Reported to the WSO2 security team

June 05, 2020

Published to the public domain

Disclosed 126 days after discovery

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2020-14446

nvd.nist.gov/vuln/detail/CVE-2020-14446 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

01/Description

What this actually is.

Technical background, root cause, and affected surface.

*Affected Products: WSO2 IS as Key Manager 5.9.0 or earlier, WSO2 Identity Server 5.9.0 or earlier

Vendor: WSO2
Affected Product: See Full List Below*
CVE: CVE-2020-14446
Securin ID: 2020-CSW-06-1044
Status: Fixed
Date: February 10, 2020
Severity: Medium
CVSS Score: 6.1
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-601

02/Proof of Concept

From one request
to root shell.

Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

ScopeChanged

ImpactC:L / I:L / A:N

SeverityMedium

The following vulnerability was tested on WSO2 Identity Server Manager version 5.9.0 Product.

PoC · Exploitation Steps▲ trigger

03/Impact

What an attacker does to you.

Post-exploitation outcomes mapped to CVSS impact metrics.

04/Remediation

Fix it. In this order.

A runbook, not a checklist. Sequence matters — assume compromise before you act.

Download and apply the relevant fixes based on the changes from the public fix: https://github.com/wso2/carbon-identity-framework/pull/2848

Securin advisory — For coordinated remediation support or threat-actor briefings related to CVE-2020-14446, contact disclose@securin.io

05/Disclosure Timeline

Vendors moved in days.
Attackers in hours.

Reconstructed from vendor advisories, CISA bulletins, and Securin research records.

Jan 31,2020

Discovered in WSO2 Identity Server Manager version 5.9.0

Feb 04, 2020

CSW conducted an Internal Review

Feb 10, 2020

Reported to the WSO2 security team

June 05, 2020

Published to the public domain

Disclosed 126 days after discovery

06/References

Cite, verify, go deeper.

Primary sources — NVD, CISA KEV, and machine-readable IoC feed.

NVD

NVD — CVE-2020-14446

nvd.nist.gov/vuln/detail/CVE-2020-14446 →

SEC

Securin VI — Full Technical Analysis

vi.securin.io →

Open Redirect in WSO2 Product

What this actually is.

From one request
to root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.
Attackers in hours.

Discovered in WSO2 Identity Server Manager version 5.9.0

CSW conducted an Internal Review

Reported to the WSO2 security team

Published to the public domain

Cite, verify, go deeper.

NVD — CVE-2020-14446

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Open Redirect in WSO2 Product

What this actually is.

From one request
to root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.
Attackers in hours.

Discovered in WSO2 Identity Server Manager version 5.9.0

CSW conducted an Internal Review

Reported to the WSO2 security team

Published to the public domain

Cite, verify, go deeper.

NVD — CVE-2020-14446

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Open Redirect in WSO2 Product

What this actually is.

From one requestto root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Discovered in WSO2 Identity Server Manager version 5.9.0

CSW conducted an Internal Review

Reported to the WSO2 security team

Published to the public domain

Cite, verify, go deeper.

NVD — CVE-2020-14446

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

Open Redirect in WSO2 Product

What this actually is.

From one requestto root shell.

What an attacker does to you.

Fix it. In this order.

Vendors moved in days.Attackers in hours.

Discovered in WSO2 Identity Server Manager version 5.9.0

CSW conducted an Internal Review

Reported to the WSO2 security team

Published to the public domain

Cite, verify, go deeper.

NVD — CVE-2020-14446

Securin VI — Full Technical Analysis

Let Securin level up your security posture.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.

From one request
to root shell.

Vendors moved in days.
Attackers in hours.