WSO2 Management Console XML Injection

2022.06.20

Credit: Hakan Bayir

Risk: Medium

Local: No

Remote: Yes

CVE: CVE-2021-42646

CWE: N/A

XML External Entity (XXE) vulnerability in the WSO2 Management Console

I. VULNERABILITY
-------------------------
XML External Entity (XXE)

II. CVE REFERENCE
-------------------------
CVE-2021-42646

III. VENDOR
-------------------------
https://wso2.com/

IV. TIMELINE
-------------------------
14/02/2021 Vulnerability discovered
14/02/2021 Vendor contacted
01/07/2021 WSO2 replay that they fixed

V. CREDIT
-------------------------
Hakan Bayir at Cyberwise.

VI. DESCRIPTION
-------------------------
An XML External Entity vulnerability was identified in the file based
service provider creation feature of the Management Console.

https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1289


VII. Remediation
-------------------------
If the latest version of the affected WSO2 product is not mentioned under
the affected product list, you may migrate to the latest version to receive
security fixes. Otherwise you may apply the relevant fixes to the product
based on the public fix:
https://github.com/wso2/carbon-identity-framework/pull/3472

-- 
Hakan Bayır

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

WSO2 Management Console XML Injection

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.