Vulnerabilities > CVE-2020-13883 - XXE vulnerability in Wso2 products

CVSS 6.7 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

HIGH

Confidentiality impact

LOW

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

wso2

CWE-611

NVD

Published: 2020-06-06

Updated: 2020-06-10

Summary

In WSO2 API Manager 3.0.0 and earlier, WSO2 API Microgateway 2.2.0, and WSO2 IS as Key Manager 5.9.0 and earlier, Management Console allows XXE during addition or update of a Lifecycle.

Vulnerable Configurations

Part	Description	Count
Application	Wso2 Wso2 Identity Server AS KEY Manager - Wso2 Identity Server AS KEY Manager 1.9.0 Wso2 Identity Server AS KEY Manager 1.9.1 Wso2 Identity Server AS KEY Manager 1.10.0 Wso2 Identity Server AS KEY Manager 2.0.0 Wso2 Identity Server AS KEY Manager 2.1.0 Wso2 Identity Server AS KEY Manager 2.2.0 Wso2 Identity Server AS KEY Manager 2.5.0 Wso2 Identity Server AS KEY Manager 2.6.0 Wso2 Identity Server AS KEY Manager 3.0.0 Wso2 Identity Server AS KEY Manager 3.1.0 Wso2 Identity Server AS KEY Manager 5.0.0 Wso2 Identity Server AS KEY Manager 5.1.0 Wso2 Identity Server AS KEY Manager 5.2.0 Wso2 Identity Server AS KEY Manager 5.3.0 Wso2 Identity Server AS KEY Manager 5.4.0 Wso2 Identity Server AS KEY Manager 5.4.1 Wso2 Identity Server AS KEY Manager 5.5.0 Wso2 Identity Server AS KEY Manager 5.6.0 Wso2 Identity Server AS KEY Manager 5.7.0 Wso2 Identity Server AS KEY Manager 5.8.0 Wso2 Identity Server AS KEY Manager 5.9.0 Wso2 API Microgateway 2.2.0 Wso2 API Manager - Wso2 API Manager 1.0.0 Wso2 API Manager 1.1.1 Wso2 API Manager 1.2.0 Wso2 API Manager 1.3.0 Wso2 API Manager 1.3.1 Wso2 API Manager 1.4.0 Wso2 API Manager 1.5.0 Wso2 API Manager 1.6.0 Wso2 API Manager 1.7.0 Wso2 API Manager 1.8.0 Wso2 API Manager 1.9.0 Wso2 API Manager 1.9.1 Wso2 API Manager 1.10.0 Wso2 API Manager 2.0.0 Wso2 API Manager 2.1.0 Wso2 API Manager 2.2.0 Wso2 API Manager 2.5.0 Wso2 API Manager 2.6.0 Wso2 API Manager 3.0.0	43

Common Weakness Enumeration (CWE)

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

References

https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0727