Description
Due to the improper configuration of XML parser, user-supplied XML is parsed without applying sufficient restrictions, enabling XML External Entity (XXE) resolution in multiple WSO2 Products. A successful XXE attack could allow a remote, unauthenticated attacker to: * Read sensitive files from the server’s filesystem. * Perform denial-of-service (DoS) attacks, which can render the affected service unavailable.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High
Affected products
- WSO2 / WSO2 API Manager0 – 2.0.0
- WSO2 / WSO2 API Manager2.1.0 – 2.1.0
- WSO2 / WSO2 API Manager2.2.0 – 2.2.0
- WSO2 / WSO2 API Manager2.5.0 – 2.5.0
- WSO2 / WSO2 API Manager2.6.0 – 2.6.0
- WSO2 / WSO2 API Manager3.0.0 – 3.0.0
- WSO2 / WSO2 API Manager3.1.0 – 3.1.0
- WSO2 / WSO2 API Manager4.0.0 – 4.0.0.311
- WSO2 / WSO2 API Manager4.1.0 – 4.1.0.152
- WSO2 / WSO2 API Manager4.2.0 – 4.2.0.122
- WSO2 / WSO2 Enterprise Integrator0 – 6.0.0
- WSO2 / WSO2 Enterprise Integrator6.0.0 – 6.0.0
- WSO2 / WSO2 Enterprise Integrator6.1.0 – 6.1.0
- WSO2 / WSO2 Enterprise Integrator6.1.1 – 6.1.1
- WSO2 / WSO2 Enterprise Integrator6.2.0 – 6.2.0
- WSO2 / WSO2 Enterprise Integrator6.3.0 – 6.3.0
- WSO2 / WSO2 Enterprise Integrator6.4.0 – 6.4.0
- WSO2 / WSO2 Enterprise Integrator6.5.0 – 6.5.0
- WSO2 / WSO2 Enterprise Integrator6.6.0 – 6.6.0
- WSO2 / WSO2 Enterprise Service Bus0 – 4.9.0
- WSO2 / WSO2 Enterprise Service Bus4.9.0 – 4.9.0
- WSO2 / WSO2 Enterprise Service Bus5.0.0 – 5.0.0
- WSO2 / WSO2 Micro integrator0 – 1.0.0
- WSO2 / WSO2 Micro integrator1.0.0 – 1.0.0
- WSO2 / WSO2 Micro integrator1.1.0 – 1.1.0
- WSO2 / WSO2 Micro integrator1.2.0 – 1.2.0.162
- WSO2 / WSO2 Micro integrator4.0.0 – 4.0.0.132
- WSO2 / WSO2 Micro integrator4.1.0 – 4.1.0.115
- WSO2 / WSO2 Micro integrator4.2.0 – 4.2.0.112
- WSO2 / WSO2 Open Banking AM0 – 1.5.0
- WSO2 / WSO2 Open Banking AM1.5.0 – 1.5.0