CVE-2021-42646¶
WSO2 Products Impacted: No
Customers Actions Required: No
REPORTED VULNERABILITY¶
An XML External Entity (XXE) vulnerability in the file-based service provider creation feature of the WSO2 Management Console allows attackers to send crafted GET requests to access sensitive files or cause denial of service by exploiting insecure XML parsing 12.
REPORTED PRODUCTS¶
- WSO2 API Manager: 2.6.0, 3.0.0, 3.1.0, 3.2.0, 4.0.0
- WSO2 Identity Server: 5.7.0, 5.8.0, 5.9.0, 5.10.0, 5.11.0
- WSO2 Identity Server as Key Manager: 5.7.0, 5.9.0, 5.10.0
WSO2 JUSTIFICATION¶
The vulnerability mentioned in CVE-2021-42646 12 has been addressed and fixed in the respective versions as per the advisory published at WSO2-2021-1289 3. The affected components and their corresponding fixed versions are listed below:
Affected Components and Fixed Versions:¶
WSO2 Carbon Identity Application Management (org.wso2.carbon.identity.application.mgt)¶
Unaffected ranges are,
| version (start range) | <= version (range) | Version Type |
|---|---|---|
| 5.12.153.10 | 5.12.153.* | Commercial |
| 5.12.387.4 | 5.12.387.* | Commercial |
| 5.14.97.8 | 5.14.97.* | Commercial |
| 5.17.5.59 | 5.17.5.* | Commercial |
| 5.18.187.53 | 5.18.187.* | Commercial |
CONCLUSION¶
Based on the following key points:
- The omission of commercial patch versions in external advisories.
- The correct identification of affected and fixed versions has not been provided in the original CVE publication[1[2]].
- A fix has already been included as per WSO2-2021-1289 3.
Therefore, WSO2 concludes that this is a false positive, and not an exploitable vulnerability in WSO2 products when using the fixed or later versions.