CVE-2024-0391 Overview
CVE-2024-0391 is a user enumeration vulnerability affecting the email One-Time Password (OTP) flow in WSO2 products. The check user account lock states feature fails to validate user input, allowing unauthenticated attackers to infer the existence of registered user accounts. This information disclosure weakness is classified under [CWE-204: Observable Response Discrepancy].
Valid usernames harvested through this flaw can fuel brute-force credential attacks and targeted phishing campaigns. Attackers can use confirmed account identifiers to craft social engineering lures aimed at credential theft. The vulnerability is exploitable over the network without privileges or user interaction.
Critical Impact
Unauthenticated remote attackers can enumerate valid user accounts through response discrepancies in the email OTP account lock-state check, enabling downstream phishing and brute-force attacks.
Affected Products
- WSO2 products implementing the email OTP authentication flow (see WSO2 Security Advisory WSO2-2024-3115 for the specific product and version matrix)
Discovery Timeline
- 2026-05-11 - CVE-2024-0391 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2024-0391
Vulnerability Analysis
The vulnerability resides in the account lock-state validation logic invoked during the email OTP authentication flow. When a client submits a username, the server evaluates whether the account is locked and returns observably different responses depending on whether the username exists. An attacker can submit candidate usernames and classify responses to confirm registered accounts.
This weakness maps to [CWE-204: Observable Response Discrepancy]. The flaw is a business logic and information disclosure issue rather than a memory safety or injection defect. No authentication or user interaction is required to trigger the discrepancy.
The confidentiality impact is limited to user identifiers, with no integrity or availability impact. However, enumerated accounts substantially raise the success rate of password spraying, credential stuffing, and phishing operations against affected tenants.
Root Cause
The email OTP code path performs an account lock-state check before completing input validation and response normalization. The server returns distinguishable messages, response codes, or timing for valid versus invalid usernames. This deviation from uniform-response design lets an external observer distinguish between the two states.
Attack Vector
The attack is purely network-based. An attacker iterates a list of candidate usernames through the email OTP endpoint and inspects responses for the lock-state signal. Discovered accounts are then channeled into follow-on credential attacks or targeted phishing. The vulnerability mechanism is described in prose only; refer to the WSO2 Security Advisory WSO2-2024-3115 for vendor-supplied technical details.
Detection Methods for CVE-2024-0391
Indicators of Compromise
- High-volume sequential or dictionary-based requests to the email OTP authentication endpoint originating from a single source or distributed botnet
- Repeated authentication attempts that probe many distinct usernames with no completion of the OTP step
- Spikes in failed lock-state lookups or anomalous ratios of "account not found" versus "account locked" responses in application logs
Detection Strategies
- Baseline normal request rates against the email OTP endpoint and alert on deviations in unique-username-per-source-IP metrics
- Correlate authentication telemetry with downstream phishing reports and credential-stuffing patterns observed against the same identities
- Inspect WSO2 Identity Server audit logs for enumeration-style traffic patterns targeting account lock-state APIs
Monitoring Recommendations
- Forward WSO2 authentication and audit logs to a centralized SIEM or data lake for retention and correlation
- Monitor for anomalous geographic distribution and user-agent diversity against the OTP endpoint
- Track per-IP and per-ASN enumeration rates and trigger automated rate-limit or block actions on threshold breach
How to Mitigate CVE-2024-0391
Immediate Actions Required
- Apply the vendor fix referenced in WSO2 Security Advisory WSO2-2024-3115 to all affected WSO2 deployments
- Inventory exposed email OTP endpoints and restrict access to trusted networks where business requirements allow
- Enforce rate limiting and progressive delays on authentication endpoints to slow enumeration attempts
Patch Information
WSO2 published Security Advisory WSO2-2024-3115 covering this issue. Consult the WSO2 Security Advisory WSO2-2024-3115 for the authoritative list of affected products, fixed versions, and remediation steps. Apply the vendor-recommended updates or patches as defined in the advisory.
Workarounds
- Place the email OTP endpoint behind a Web Application Firewall (WAF) configured to enforce rate limiting and anomaly-based blocking on authentication paths
- Normalize server responses so that valid and invalid usernames produce identical messages, status codes, and response timing
- Require CAPTCHA or proof-of-work challenges on repeated authentication attempts from the same source
- Reduce account lockout disclosure by deferring lock-state evaluation until after OTP submission rather than during username entry
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
