SECURITY ADVISORY WSO2-2022-2353

Published: November 10, 2024

Version: 1.0.0

Severity: Medium

CVSS Score: 5.5 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:L)


AFFECTED PRODUCTS

  • WSO2 API Manager : 4.1.0, 4.0.0, 3.2.0, 3.1.0, 3.0.0
  • WSO2 Identity Server as Key Manager : 5.10.0, 5.9.0

OVERVIEW

A potential XML External Entity (XXE) vulnerability has been identified in the Publisher Portal.

DESCRIPTION

An XML External Entity vulnerability was identified in the REST APIs used to add new mediation policies for an API in the Publisher Portal.

IMPACT

In order to perform the action, a user account with 'publisher' privileges is required. By leveraging the vulnerability, a malicious actor could read confidential files from the file system or access limited HTTP resources that are reachable (over HTTP GET requests) to the vulnerable product. The same vulnerability could be used to perform denial of service attacks by exhausting server resources.

SOLUTION

We highly recommend to migrate the latest version of respective WSO2 products to mitigate the identified vulnerabilities.

Info

If you are a WSO2 customer with Support Subscription, please use WSO2 Updates in order to apply the fix.