Vulnerabilities > CVE-2020-12719 - XXE vulnerability in Wso2 products

CVSS 7.2 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

HIGH

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

wso2

CWE-611

NVD

Published: 2020-05-08

Updated: 2020-05-14

Summary

XXE during an EventPublisher update can occur in Management Console in WSO2 API Manager 3.0.0 and earlier, API Manager Analytics 2.5.0 and earlier, API Microgateway 2.2.0, Enterprise Integrator 6.4.0 and earlier, IS as Key Manager 5.9.0 and earlier, Identity Server 5.9.0 and earlier, and Identity Server Analytics 5.6.0 and earlier.

Vulnerable Configurations

Part	Description	Count
Application	Wso2 Wso2 Identity Server Analytics - Wso2 Identity Server Analytics 5.4.0 Wso2 Identity Server Analytics 5.4.1 Wso2 Identity Server Analytics 5.5.0 Wso2 Identity Server Analytics 5.6.0 Wso2 Identity Server 1.5.0 Wso2 Identity Server 2.0.0 Wso2 Identity Server 2.0.1 Wso2 Identity Server 2.0.2 Wso2 Identity Server 2.0.3 Wso2 Identity Server 3.0.0 Wso2 Identity Server 3.0.1 Wso2 Identity Server 3.2.0 Wso2 Identity Server 3.2.2 Wso2 Identity Server 3.2.3 Wso2 Identity Server 4.0.0 Wso2 Identity Server 4.1.0 Wso2 Identity Server 4.5.0 Wso2 Identity Server 4.6.0 Wso2 Identity Server 5.0.0 Wso2 Identity Server 5.1.0 Wso2 Identity Server 5.2.0 Wso2 Identity Server 5.3.0 Wso2 Identity Server 5.4.0 Wso2 Identity Server 5.4.1 Wso2 Identity Server 5.5.0 Wso2 Identity Server 5.6.0 Wso2 Identity Server 5.7.0 Wso2 Identity Server 5.8.0 Wso2 Identity Server 5.9.0 Wso2 Identity Server AS KEY Manager - Wso2 Identity Server AS KEY Manager 1.9.0 Wso2 Identity Server AS KEY Manager 1.9.1 Wso2 Identity Server AS KEY Manager 1.10.0 Wso2 Identity Server AS KEY Manager 2.0.0 Wso2 Identity Server AS KEY Manager 2.1.0 Wso2 Identity Server AS KEY Manager 2.2.0 Wso2 Identity Server AS KEY Manager 2.5.0 Wso2 Identity Server AS KEY Manager 2.6.0 Wso2 Identity Server AS KEY Manager 3.0.0 Wso2 Identity Server AS KEY Manager 3.1.0 Wso2 Identity Server AS KEY Manager 5.0.0 Wso2 Identity Server AS KEY Manager 5.1.0 Wso2 Identity Server AS KEY Manager 5.2.0 Wso2 Identity Server AS KEY Manager 5.3.0 Wso2 Identity Server AS KEY Manager 5.4.0 Wso2 Identity Server AS KEY Manager 5.4.1 Wso2 Identity Server AS KEY Manager 5.5.0 Wso2 Identity Server AS KEY Manager 5.6.0 Wso2 Identity Server AS KEY Manager 5.7.0 Wso2 Identity Server AS KEY Manager 5.8.0 Wso2 Identity Server AS KEY Manager 5.9.0 Wso2 Enterprise Integrator 6.1.0 Wso2 Enterprise Integrator 6.1.1 Wso2 Enterprise Integrator 6.2.0 Wso2 Enterprise Integrator 6.3.0 Wso2 Enterprise Integrator 6.4.0 Wso2 API Microgateway 2.2.0 Wso2 API Manager Analytics 2.2.0 Wso2 API Manager Analytics 2.5.0 Wso2 API Manager - Wso2 API Manager 1.0.0 Wso2 API Manager 1.1.1 Wso2 API Manager 1.2.0 Wso2 API Manager 1.3.0 Wso2 API Manager 1.3.1 Wso2 API Manager 1.4.0 Wso2 API Manager 1.5.0 Wso2 API Manager 1.6.0 Wso2 API Manager 1.7.0 Wso2 API Manager 1.8.0 Wso2 API Manager 1.9.0 Wso2 API Manager 1.9.1 Wso2 API Manager 1.10.0 Wso2 API Manager 2.0.0 Wso2 API Manager 2.1.0 Wso2 API Manager 2.2.0 Wso2 API Manager 2.5.0 Wso2 API Manager 2.6.0 Wso2 API Manager 3.0.0	80

Common Weakness Enumeration (CWE)

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

References

https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0665