XML External Entity (XXE) vulnerability in the WSO2 Management Console
I. VULNERABILITY
-------------------------
XML External Entity (XXE)
II. CVE REFERENCE
-------------------------
CVE-2021-42646
III. VENDOR
-------------------------
https://wso2.com/
IV. TIMELINE
-------------------------
14/02/2021 Vulnerability discovered
14/02/2021 Vendor contacted
01/07/2021 WSO2 replay that they fixed
V. CREDIT
-------------------------
Hakan Bayir at Cyberwise.
VI. DESCRIPTION
-------------------------
An XML External Entity vulnerability was identified in the file based
service provider creation feature of the Management Console.
https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1289
VII. Remediation
-------------------------
If the latest version of the affected WSO2 product is not mentioned under
the affected product list, you may migrate to the latest version to receive
security fixes. Otherwise you may apply the relevant fixes to the product
based on the public fix:
https://github.com/wso2/carbon-identity-framework/pull/3472
--
Hakan Bayır