XML External Entity Vulnerability in WSO2 API Manager and Identity Server
CVE-2021-42646

9.1CRITICAL

Key Information:

Vendor: Wso2
Status: Api Manager; Identity Server; Identity Server As Key Manager
Vendor: CVE Published:; 11 May 2022

What is CVE-2021-42646?

The WSO2 API Manager and Identity Server are susceptible to an XML External Entity (XXE) vulnerability that exists in the file-based service provider creation feature within their Management Console. Attackers can exploit this vulnerability by sending crafted GET requests, which may lead to unauthorized access to sensitive information or result in a denial of service condition. This highlights a significant risk for organizations using these WSO2 products, as it allows for the potential extraction of confidential data from the server or interruption of service.

References

https://github.com/wso2/carbon-identity-framework/pull/3472

http://seclists.org/fulldisclosure/2022/Jun/7

mailing-list

http://packetstormsecurity.com/files/167465/WSO2-Manageme...

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2022
Vulnerability Reserved
Oct 18, 2021

Wso2

What is CVE-2021-42646?

References

CVSS V3.1

Timeline