Severity by source
AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits the unescaped external entity references.
By leveraging this vulnerability, a malicious actor can read confidential files from the product's file system or access limited HTTP resources reachable via HTTP GET requests to the vulnerable product.
AnalysisAI
The component accepts XML input through the publisher without disabling external entity resolution. Rated low severity (CVSS 3.5), this vulnerability is low attack complexity. This XML External Entity (XXE) vulnerability could allow attackers to read arbitrary files or perform SSRF through XML processing.
Technical ContextAI
This vulnerability is classified as XML External Entity (XXE) (CWE-611), which allows attackers to read arbitrary files or perform SSRF through XML processing. The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits the unescaped external entity references. By leveraging this vulnerability, a malicious actor can read confidential files from the product's file system or access limited HTTP resources reachable via HTTP GET requests to the vulnerable product. Affected products include: Wso2 Wso2 Api Manager.
RemediationAI
A vendor patch is available. Apply the latest security update as soon as possible. Disable external entity processing in XML parsers, use JSON instead of XML where possible.
More in Wso2 Api Manager
View allServer-side request forgery in WSO2 API Manager lets unauthenticated remote attackers coerce the gateway into making ser
Persistent denial of service in multiple WSO2 products - including WSO2 API Manager, WSO2 Universal Gateway, WSO2 Traffi
The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the
Role-based access control bypass in WSO2 API Manager 3.x allows authenticated users with the 'Internal/Everyone' role to
Reflected cross-site scripting across at least eight WSO2 platform products - including Identity Server, API Manager, AP
The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response.
The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script
The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or p
The silent Just-In-Time (JIT) provisioning feature in federated authentication implementations fails to properly segrega
HTTP response header injection in WSO2 Webhook API invocations allows unauthenticated remote attackers to inject or over
Cross-tenant consent leakage in WSO2 Identity Server and WSO2 API Manager multi-tenant deployments lets a SaaS applicati
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2024-55549
GHSA-4fxw-3p35-q323