Description
Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely used feature of XML parsers to access sensitive information.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
Affected products
- WSO2 / WSO2 API Manager0 – 3.0.0.0
- WSO2 / WSO2 API Manager3.0.0.0 – 3.0.0.1
- WSO2 / WSO2 API Manager Analytics2.5.0.0 – 2.5.0.1
- WSO2 / WSO2 API Manager Analytics0 – 2.2.0.0
- WSO2 / WSO2 API Manager Analytics2.2.0.0 – 2.2.0.1
- WSO2 / WSO2 API Microgateway0 – 2.2.0.0
- WSO2 / WSO2 API Microgateway2.2.0.0 – 2.2.0.1
- WSO2 / WSO2 Enterprise Integrator6.0.0.0 – 6.0.0.3
- WSO2 / WSO2 Enterprise Integrator0 – 6.0.0.2
- WSO2 / WSO2 Enterprise Integrator6.1.0.0 – 6.1.0.5
- WSO2 / WSO2 Enterprise Integrator6.1.1.0 – 6.1.1.5
- WSO2 / WSO2 Enterprise Integrator6.6.0.0 – 6.6.0.1
- WSO2 / WSO2 Identity Server0 – 5.4.0.0
- WSO2 / WSO2 Identity Server5.6.0.0 – 5.6.0.1
- WSO2 / WSO2 Identity Server5.5.0.0 – 5.5.0.1
- WSO2 / WSO2 Identity Server5.4.1.0 – 5.4.1.1
- WSO2 / WSO2 Identity Server5.4.0.0 – 5.4.0.1
- WSO2 / WSO2 IS as Key Manager0 – 5.5.0.0
- WSO2 / WSO2 IS as Key Manager5.5.0.0 – 5.5.0.1
- WSO2 / WSO2 IS as Key Manager5.6.0.0 – 5.6.0.1
- WSO2 / WSO2 IS as Key Manager5.7.0.0 – 5.7.0.1
- WSO2 / WSO2 IS as Key Manager5.9.0.0 – 5.9.0.1
- WSO2 / WSO2 Micro integrator0 – 1.0.0.0
- WSO2 / WSO2 Micro integrator1.0.0.0 – 1.0.0.1