Security Advisory WSO2-2023-3052¶
Published: 2025-03-18
Updated: 2025-03-18
Version: 1.0.0
Severity: High
CVSS Score: 8.2 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L)
AFFECTED PRODUCTS¶
- WSO2 API Manager 4.2.0, 4.0.0
- WSO2 Micro integrator 4.1.0, 4.0.0, 1.2.0
OVERVIEW¶
XML External Entity (XXE) vulnerability in the PayloadFactory mediator.
DESCRIPTION¶
XML External Entity (XXE) vulnerability is possible when malicious user inputs are being parsed through the PayloadFactory Mediator.
IMPACT¶
This will have an impact only if both of the following conditions are met:
- The deployment has a configured PayloadFactory mediator.
- The attacker is aware of the configured PayloadFactory mediator sequence to craft a malicious payload.
In such a scenario, by leveraging the XXE vulnerability, a malicious actor can disclose local files, denial of service, server-side request forgery, port scanning and other system impacts on affected systems.
SOLUTION¶
Community Users (Open Source)¶
We highly recommend to migrate to the latest version of respective WSO2 products to mitigate the identified vulnerabilities.
Support Subscription Holders¶
Update your product to the specified update level—or a higher update level—to apply the fix.
Info
WSO2 Support Subscription Holders may use WSO2 Updates in order to apply the fix.
| Product | Version | U2 Update Level |
|---|---|---|
| WSO2 API Manager | 4.2.0 | 112 |
| WSO2 API Manager | 4.0.0 | 311 |
| WSO2 Micro Integrator | 4.1.0 | 80 |
| WSO2 Micro Integrator | 4.0.0 | 132 |
| WSO2 Micro Integrator | 1.2.0 | 162 |