XML External Entity (XXE) vulnerability in the file based service provider creation feature of the Management Console in WSO2 API Manager 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; and WSO2 IS as Key Manager 5.7.0, 5.9.0, and 5.10.0; and WSO2 Identity Server 5.7.0, 5.8.0, 5.9.0, 5.10.0, and 5.11.0. Allows attackers to gain read access to sensitive information or cause a denial of service via crafted GET requests.
{
"unresolved_ranges": [
{
"cpes": [
"cpe:2.3:a:wso2:identity_server:5.10.0:*:*:*:*:*:*:*",
"cpe:2.3:a:wso2:identity_server:5.11.0:*:*:*:*:*:*:*",
"cpe:2.3:a:wso2:identity_server:5.7.0:*:*:*:*:*:*:*",
"cpe:2.3:a:wso2:identity_server:5.8.0:*:*:*:*:*:*:*",
"cpe:2.3:a:wso2:identity_server:5.9.0:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "5.7.0"
},
{
"last_affected": "5.7.0"
},
{
"introduced": "5.8.0"
},
{
"last_affected": "5.8.0"
},
{
"introduced": "5.9.0"
},
{
"last_affected": "5.9.0"
},
{
"introduced": "5.10.0"
},
{
"last_affected": "5.10.0"
},
{
"introduced": "5.11.0"
},
{
"last_affected": "5.11.0"
}
],
"vendor_product": "wso2:identity_server",
"source": "CPE_STRING"
},
{
"cpes": [
"cpe:2.3:a:wso2:identity_server_as_key_manager:5.10.0:*:*:*:*:*:*:*",
"cpe:2.3:a:wso2:identity_server_as_key_manager:5.7.0:*:*:*:*:*:*:*",
"cpe:2.3:a:wso2:identity_server_as_key_manager:5.9.0:*:*:*:*:*:*:*"
],
"vendor_product": "wso2:identity_server_as_key_manager",
"extracted_events": [
{
"introduced": "5.7.0"
},
{
"last_affected": "5.7.0"
},
{
"introduced": "5.9.0"
},
{
"last_affected": "5.9.0"
},
{
"introduced": "5.10.0"
},
{
"last_affected": "5.10.0"
}
],
"source": "CPE_STRING"
}
]
}{
"cpe": [
"cpe:2.3:a:wso2:api_manager:2.6.0:*:*:*:*:*:*:*",
"cpe:2.3:a:wso2:api_manager:3.0.0:*:*:*:*:*:*:*",
"cpe:2.3:a:wso2:api_manager:3.1.0:*:*:*:*:*:*:*",
"cpe:2.3:a:wso2:api_manager:3.2.0:*:*:*:*:*:*:*",
"cpe:2.3:a:wso2:api_manager:4.0.0:*:*:*:*:*:*:*"
],
"extracted_events": [
{
"introduced": "2.6.0"
},
{
"last_affected": "2.6.0"
},
{
"introduced": "3.0.0"
},
{
"last_affected": "3.0.0"
},
{
"introduced": "3.1.0"
},
{
"last_affected": "3.1.0"
},
{
"introduced": "3.2.0"
},
{
"last_affected": "3.2.0"
},
{
"introduced": "4.0.0"
},
{
"last_affected": "4.0.0"
}
],
"source": "CPE_STRING"
}