Vulnerabilities > CVE-2023-6836 - XXE vulnerability in Wso2 products

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

low complexity

wso2

CWE-611

NVD

Published: 2023-12-15

Updated: 2023-12-19

Summary

Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely used feature of XML parsers to access sensitive information.

Vulnerable Configurations

Part	Description	Count
Application	Wso2 Wso2 API Manager - Wso2 API Manager 1.0.0 Wso2 API Manager 1.1.1 Wso2 API Manager 1.2.0 Wso2 API Manager 1.3.0 Wso2 API Manager 1.3.1 Wso2 API Manager 1.4.0 Wso2 API Manager 1.5.0 Wso2 API Manager 1.6.0 Wso2 API Manager 1.7.0 Wso2 API Manager 1.8.0 Wso2 API Manager 1.9.0 Wso2 API Manager 1.9.1 Wso2 API Manager 1.10.0 Wso2 API Manager 2.0.0 Wso2 API Manager 2.1.0 Wso2 API Manager 2.2.0 Wso2 API Manager 2.5.0 Wso2 API Manager 2.6.0 Wso2 API Manager 3.0.0 Wso2 API Manager Analytics 2.2.0 Wso2 API Manager Analytics 2.5.0 Wso2 API Microgateway 2.2.0 Wso2 Enterprise Integrator 6.1.0 Wso2 Enterprise Integrator 6.1.1 Wso2 Enterprise Integrator 6.2.0 Wso2 Enterprise Integrator 6.3.0 Wso2 Enterprise Integrator 6.4.0 Wso2 Enterprise Integrator 6.5.0 Wso2 Enterprise Integrator 6.6.0 Wso2 Identity Server AS KEY Manager 5.7.0 Wso2 Identity Server AS KEY Manager 5.6.0 Wso2 Identity Server AS KEY Manager 5.9.0 Wso2 Identity Server AS KEY Manager 5.0.0 Wso2 Identity Server 5.5.0 Wso2 Identity Server 5.6.0 Wso2 Identity Server 5.4.0 Wso2 Identity Server 5.4.1 Wso2 Micro Integrator 1.0.0	39

Common Weakness Enumeration (CWE)

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

References

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-0716/