Vulnerabilities > CVE-2020-13883 - XXE vulnerability in Wso2 products

CVSS 6.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

SINGLE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

wso2

CWE-611

NVD

Published: 2020-06-06

Updated: 2020-06-10

Summary

In WSO2 API Manager 3.0.0 and earlier, WSO2 API Microgateway 2.2.0, and WSO2 IS as Key Manager 5.9.0 and earlier, Management Console allows XXE during addition or update of a Lifecycle.

Vulnerable Configurations

Part	Description	Count
Application	Wso2 Wso2 API Manager 1.0.0 Wso2 API Manager 1.1.1 Wso2 API Manager 1.2.0 Wso2 API Manager 1.3.0 Wso2 API Manager 1.3.1 Wso2 API Manager 1.4.0 Wso2 API Manager 1.5.0 Wso2 API Manager 1.6.0 Wso2 API Manager 1.7.0 Wso2 API Manager 1.8.0 Wso2 API Manager 1.9.0 Wso2 API Manager 1.9.1 Wso2 API Manager 1.10.0 Wso2 API Manager 2.0.0 Wso2 API Manager 2.1.0 Wso2 API Manager 2.2.0 Wso2 API Manager 2.5.0 Wso2 API Manager 2.6.0 Wso2 API Manager 3.0.0 Wso2 API Microgateway 2.2.0 Wso2 Identity Server AS KEY Manager 5.0.0 Wso2 Identity Server AS KEY Manager 5.1.0 Wso2 Identity Server AS KEY Manager 5.2.0 Wso2 Identity Server AS KEY Manager 5.3.0 Wso2 Identity Server AS KEY Manager 5.4.0 Wso2 Identity Server AS KEY Manager 5.4.1 Wso2 Identity Server AS KEY Manager 5.5.0 Wso2 Identity Server AS KEY Manager 5.6.0 Wso2 Identity Server AS KEY Manager 5.7.0 Wso2 Identity Server AS KEY Manager 5.8.0 Wso2 Identity Server AS KEY Manager 5.9.0	31

Common Weakness Enumeration (CWE)

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

References

https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0727