Security Advisory WSO2-2022-2055¶
Published: July 28, 2023
Version: 1.0.0
Severity: Medium
CVSS Score: 4.4 (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N)
AFFECTED PRODUCTS¶
- WSO2 API Manager : 3.1.0
- WSO2 IS as Key Manager : 5.10.0
- WSO2 Identity Server : 5.10.0
OVERVIEW¶
XML external entity (XXE) vulnerability through SOAP API.
DESCRIPTION¶
XML external entity (XXE) vulnerability is possible through SOAP API when the malicious actor is provided with /permission/admin/manage/event-publish permission.
IMPACT¶
By leveraging the XXE vulnerability, a malicious actor can disclose local files, denial of service, server-side request forgery, port scanning and other system impacts on affected systems.
SOLUTION¶
We highly recommend to migrate the latest version of respective WSO2 product to mitigate the identified vulnerabilities.
Info
If you are a WSO2 customer with Support Subscription, please use WSO2 Updates in order to apply the fix.