SECURITY ADVISORY WSO2-2022-2353¶
Published: November 10, 2024
Version: 1.0.0
Severity: Medium
CVSS Score: 5.5 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L)
AFFECTED PRODUCTS¶
- WSO2 API Manager : 4.1.0, 4.0.0, 3.2.0, 3.1.0, 3.0.0
- WSO2 Identity Server as Key Manager : 5.10.0, 5.9.0
OVERVIEW¶
A potential XML External Entity (XXE) vulnerability has been identified in the Publisher Portal.
DESCRIPTION¶
An XML External Entity vulnerability was identified in the REST APIs used to add new mediation policies for an API in the Publisher Portal.
IMPACT¶
In order to perform the action, a user account with 'publisher' privileges is required. By leveraging the vulnerability, a malicious actor could read confidential files from the file system or access limited HTTP resources that are reachable (over HTTP GET requests) to the vulnerable product. The same vulnerability could be used to perform denial of service attacks by exhausting server resources.
SOLUTION¶
We highly recommend to migrate the latest version of respective WSO2 products to mitigate the identified vulnerabilities.
Info
If you are a WSO2 customer with Support Subscription, please use WSO2 Updates in order to apply the fix.