Headline
WSO2 Management Console XML Injection
WSO2 Management Console suffers from an XML external entity injection vulnerability.
XML External Entity (XXE) vulnerability in the WSO2 Management ConsoleI. VULNERABILITY-------------------------XML External Entity (XXE)II. CVE REFERENCE-------------------------CVE-2021-42646III. VENDOR-------------------------https://wso2.com/IV. TIMELINE-------------------------14/02/2021 Vulnerability discovered14/02/2021 Vendor contacted01/07/2021 WSO2 replay that they fixedV. CREDIT-------------------------Hakan Bayir at Cyberwise.VI. DESCRIPTION-------------------------An XML External Entity vulnerability was identified in the file basedservice provider creation feature of the Management Console.https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1289VII. Remediation-------------------------If the latest version of the affected WSO2 product is not mentioned underthe affected product list, you may migrate to the latest version to receivesecurity fixes. Otherwise you may apply the relevant fixes to the productbased on the public fix:https://github.com/wso2/carbon-identity-framework/pull/3472-- Hakan BayırRelated news
XML External Entity (XXE) vulnerability in the file based service provider creation feature of the Management Console in WSO2 API Manager 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; and WSO2 IS as Key Manager 5.7.0, 5.9.0, and 5.10.0; and WSO2 Identity Server 5.7.0, 5.8.0, 5.9.0, 5.10.0, and 5.11.0. Allows attackers to gain read access to sensitive information or cause a denial of service via crafted GET requests.
XML External Entity (XXE) vulnerability in the file based service provider creation feature of the Management Console in WSO2 API Manager 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; and WSO2 IS as Key Manager 5.7.0, 5.9.0, and 5.10.0; and WSO2 Identity Server 5.7.0, 5.8.0, 5.9.0, 5.10.0, and 5.11.0. Allows attackers to gain read access to sensitive information or cause a denial of service via crafted GET requests.