Vulnerabilities > CVE-2021-42646 - XXE vulnerability in Wso2 products

CVSS 9.1 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

HIGH

network

low complexity

wso2

CWE-611

critical

NVD

Published: 2022-05-11

Updated: 2024-01-11

Summary

XML External Entity (XXE) vulnerability in the file based service provider creation feature of the Management Console in WSO2 API Manager 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; and WSO2 IS as Key Manager 5.7.0, 5.9.0, and 5.10.0; and WSO2 Identity Server 5.7.0, 5.8.0, 5.9.0, 5.10.0, and 5.11.0. Allows attackers to gain read access to sensitive information or cause a denial of service via crafted GET requests.

Vulnerable Configurations

Part	Description	Count
Application	Wso2 Wso2 API Manager 2.6.0 Wso2 API Manager 3.0.0 Wso2 API Manager 3.1.0 Wso2 API Manager 4.0.0 Wso2 API Manager 3.2.0 Wso2 Identity Server 5.7.0 Wso2 Identity Server 5.8.0 Wso2 Identity Server 5.11.0 Wso2 Identity Server 5.9.0 Wso2 Identity Server 5.10.0 Wso2 Identity Server AS KEY Manager 5.7.0 Wso2 Identity Server AS KEY Manager 5.9.0 Wso2 Identity Server AS KEY Manager 5.10.0	13

Common Weakness Enumeration (CWE)

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References