XML External Entity Vulnerability in WSO2 API Manager and Identity Server
CVE-2021-42646

9.1CRITICAL

Key Information:

Vendor

Wso2

Status
Api Manager
Identity Server
Identity Server As Key Manager
Vendor
CVE Published:
11 May 2022

What is CVE-2021-42646?

The WSO2 API Manager and Identity Server are susceptible to an XML External Entity (XXE) vulnerability that exists in the file-based service provider creation feature within their Management Console. Attackers can exploit this vulnerability by sending crafted GET requests, which may lead to unauthorized access to sensitive information or result in a denial of service condition. This highlights a significant risk for organizations using these WSO2 products, as it allows for the potential extraction of confidential data from the server or interruption of service.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

References

https://github.com/wso2/carbon-identity-framework/pull/3472
http://seclists.org/fulldisclosure/2022/Jun/7
mailing-list
http://packetstormsecurity.com/files/167465/WSO2-Manageme...

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.