XML External Entity Vulnerability in WSO2 Products
CVE-2023-6836

4.6MEDIUM

Key Information:

Vendor: WSO2
Status: WSO2 API Manager; WSO2 API Manager Analytics; WSO2 API Microgateway; WSO2 Enterprise Integrator
Vendor: CVE Published:; 15 December 2023

What is CVE-2023-6836?

Multiple WSO2 products are susceptible to an XML External Entity (XXE) vulnerability, allowing attackers to exploit a seldom-used feature of XML parsers. This flaw could permit unauthorized access to sensitive information within the affected systems, posing a significant risk to data integrity and confidentiality. Users of WSO2 API Manager, WSO2 Identity Server, and WSO2 Enterprise Integrator should take immediate action to mitigate the threat.

Affected Version(s)

WSO2 API Manager 3.0.0.0 < 3.0.0.1

WSO2 API Manager Analytics 2.2.0.0 < 2.2.0.1

WSO2 API Manager Analytics 2.5.0.0 < 2.5.0.1

References

https://security.docs.wso2.com/en/latest/security-announc...

vendor-advisory

CVSS V3.1

Score:

4.6

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 15, 2023
Vulnerability Reserved
Dec 15, 2023