CVE-2021-42646

Sažetak

XML External Entity (XXE) vulnerability in the file based service provider creation feature of the Management Console in WSO2 API Manager 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; and WSO2 IS as Key Manager 5.7.0, 5.9.0, and 5.10.0; and WSO2 Identity Server 5.7.0, 5.8.0, 5.9.0, 5.10.0, and 5.11.0. Allows attackers to gain read access to sensitive information or cause a denial of service via crafted GET requests.

Reference

http://packetstormsecurity.com/files/167465/WSO2-Management-Console-XML-Injection.html
http://seclists.org/fulldisclosure/2022/Jun/7
https://github.com/wso2/carbon-identity-framework/pull/3472
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2021-1289/

CVSS

Base:	6.4
Impact:	4.9
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	NONE	PARTIAL

CVSS vektor

AV:N/AC:L/Au:N/C:P/I:N/A:P

Zadnje važnije ažuriranje

11-01-2024 - 03:15

Objavljeno

11-05-2022 - 18:15