WSO2 API Manager 3.0.0 and earlier Improper Restriction of XML External Entity Reference Vulnerability

Summary

In event-receiver component, secure processing feature has not been enabled for XML parsers to prevent XXE attacks.

Credit:

The information has been provided by Krzysztof Przybylski

The original article can be found at:https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0727


Details

In WSO2 API Manager 3.0.0 and earlier, WSO2 API Microgateway 2.2.0, and WSO2 IS as Key Manager 5.9.0 and earlier, Management Console allows XXE during addition or update of a Lifecycle.

 

Vulnerable Systems:

WSO2 API Manager 3.0.0 and earlier

WSO2 API Microgateway 2.2.0

WSO2 IS as Key Manager 5.9.0 and earlier

 

CVE Information:

CVE-2020-13883

Disclosure Timeline:
Published Date:6/6/2020

Categories: FeaturedNews