CVE-2021-42646 — CRITICAL (9.1)

Vulnerability Description

XML External Entity (XXE) vulnerability in the file based service provider creation feature of the Management Console in WSO2 API Manager 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; and WSO2 IS as Key Manager 5.7.0, 5.9.0, and 5.10.0; and WSO2 Identity Server 5.7.0, 5.8.0, 5.9.0, 5.10.0, and 5.11.0. Allows attackers to gain read access to sensitive information or cause a denial of service via crafted GET requests.

CVSS Score

9.1

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Wso2	Api Manager	2.6.0
Wso2	Identity Server	5.7.0
Wso2	Identity Server As Key Manager	5.7.0

Related Weaknesses (CWE)

CWE-611

References

http://packetstormsecurity.com/files/167465/WSO2-Management-Console-XML-InjectioThird Party AdvisoryVDB Entry
http://seclists.org/fulldisclosure/2022/Jun/7Mailing ListThird Party Advisory
https://github.com/wso2/carbon-identity-framework/pull/3472PatchThird Party Advisory
https://security.docs.wso2.com/en/latest/security-announcements/security-advisor
http://packetstormsecurity.com/files/167465/WSO2-Management-Console-XML-InjectioThird Party AdvisoryVDB Entry
http://seclists.org/fulldisclosure/2022/Jun/7Mailing ListThird Party Advisory
https://github.com/wso2/carbon-identity-framework/pull/3472PatchThird Party Advisory
https://security.docs.wso2.com/en/latest/security-announcements/security-advisor

FAQ

What is CVE-2021-42646?

CVE-2021-42646 is a vulnerability with a CVSS score of 9.1 (CRITICAL). XML External Entity (XXE) vulnerability in the file based service provider creation feature of the Management Console in WSO2 API Manager 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; and WSO2 IS as Key Mana...

How severe is CVE-2021-42646?

CVE-2021-42646 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2021-42646?

Check the references section above for vendor advisories and patch information. Affected products include: Wso2 Api Manager, Wso2 Identity Server, Wso2 Identity Server As Key Manager.