Security Advisory WSO2-2022-2055

Published: July 28, 2023

Version: 1.0.0

Severity: Medium

CVSS Score: 4.4 (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N)


AFFECTED PRODUCTS

  • WSO2 API Manager : 3.1.0
  • WSO2 IS as Key Manager : 5.10.0
  • WSO2 Identity Server : 5.10.0

OVERVIEW

XML external entity (XXE) vulnerability through SOAP API.

DESCRIPTION

XML external entity (XXE) vulnerability is possible through SOAP API when the malicious actor is provided with /permission/admin/manage/event-publish permission.

IMPACT

By leveraging the XXE vulnerability, a malicious actor can disclose local files, denial of service, server-side request forgery, port scanning and other system impacts on affected systems.

SOLUTION

We highly recommend to migrate the latest version of respective WSO2 product to mitigate the identified vulnerabilities.

Info

If you are a WSO2 customer with Support Subscription, please use WSO2 Updates in order to apply the fix.