

Security Advisory WSO2-2020-0742

Published: August 17, 2020

Version: 1.0.0

Severity: Critical

CVSS Score: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)

---

AFFECTED PRODUCTS

• WSO2 API Manager : 3.1.0 or earlier
• WSO2 API Microgateway : 2.2.0

OVERVIEW

Potential unauthenticated XML External Entity injection (XXE) and XML Entity Expansion vulnerabilities have been identified in the Management Console.

DESCRIPTION

It was found that the Management Console is vulnerable to XML External Entity Injection and XML Entity Expansion attacks. A remote attacker could send unauthenticated requests with malicious payloads to the affected server.

IMPACT

An XML External Entity injection (XXE) often allows an attacker to view files on the server file system, and to interact with any backend or external systems that the application itself can access and allows the attacker to transmit sensitive data from the compromised server to a system that the attacker controls. An XML Entity Expansion attack might result in a denial-of-service condition, causing the entire application to stop functioning. It is possible to exploit both of the above vulnerabilities without authenticating to the Management Console.

SOLUTION

If you are using an affected product version, it is highly recommended to migrate to the latest released version to receive security fixes.

Otherwise, you may apply the relevant fixes to the product based on the public fix(s):

• https://github.com/wso2/carbon-governance/pull/341
• https://github.com/wso2/carbon-governance/pull/340
• https://github.com/wso2/carbon-governance/pull/339

Info

If you are a WSO2 customer with a support subscription, use WSO2 Update Manager(WUM) updates in order to apply the fix to the affected versions.

CREDITS

WSO2 thanks, Krzysztof Przybylski for responsibly reporting the identified issue and working with us as we addressed it.