WSO2 API Manager/IS as Key Manager/Identity Server File Based Service Provider Creation xml external entity reference

A vulnerability has been found in WSO2 API Manager, IS as Key Manager and Identity Server (Automation Software) (affected version unknown) and classified as problematic. Affected by this vulnerability is an unknown code of the component File Based Service Provider Creation. Applying a patch is able to eliminate this problem. The bugfix is ready for download at github.com.

Field05/12/2022 12:45 PM05/14/2022 03:35 PM
vendorWSO2WSO2
nameAPI Manager/IS as Key Manager/Identity ServerAPI Manager/IS as Key Manager/Identity Server
componentFile Based Service Provider CreationFile Based Service Provider Creation
cwe611 (XML External Entity)611 (XML External Entity)
risk11
cvss3_vuldb_sUU
cvss3_vuldb_cLL
cvss3_vuldb_iLL
cvss3_vuldb_aLL
cvss3_vuldb_rlOO
cvss3_vuldb_rcCC
urlhttps://github.com/wso2/carbon-identity-framework/pull/3472https://github.com/wso2/carbon-identity-framework/pull/3472
namePatchPatch
patch_urlhttps://github.com/wso2/carbon-identity-framework/pull/3472https://github.com/wso2/carbon-identity-framework/pull/3472
cveCVE-2021-42646CVE-2021-42646
cve_assigned16345080001634508000
date1652306400 (05/12/2022)1652306400 (05/12/2022)
typeAutomation SoftwareAutomation Software
cvss2_vuldb_ciPP
cvss2_vuldb_iiPP
cvss2_vuldb_aiPP
cvss2_vuldb_rcCC
cvss2_vuldb_rlOFOF
cvss2_vuldb_avAA
cvss2_vuldb_acMM
cvss2_vuldb_auSS
cvss2_vuldb_eNDND
cvss3_vuldb_avAA
cvss3_vuldb_acLL
cvss3_vuldb_prLL
cvss3_vuldb_uiNN
cvss3_vuldb_eXX
cvss2_vuldb_basescore4.94.9
cvss2_vuldb_tempscore4.34.3
cvss3_vuldb_basescore5.55.5
cvss3_vuldb_tempscore5.35.3
cvss3_meta_basescore5.55.5
cvss3_meta_tempscore5.35.3
price_0day$0-$5k$0-$5k
cve_nvd_summaryXML External Entity (XXE) vulnerability in the file based service provider creation feature of the Management Console in WSO2 API Manager 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; and WSO2 IS as Key Manager 5.7.0, 5.9.0, and 5.10.0; and WSO2 Identity Server 5.7.0, 5.8.0, 5.9.0, 5.10.0, and 5.11.0. Allows attackers to gain read access to sensitive information or cause a denial of service via crafted GET requests.

PreviousOverviewNext

Might our Artificial Intelligence support you?

Check our Alexa App!