WSO2 API Manager 3.0.0 and earlier Improper Restriction of XML External Entity Reference Vulnerability

Summary

In event-publisher component, secure processing feature has not been enabled for XML parsers to prevent XXE attacks.

Credit:

The information has been provided by Paweł Hałdrzyński

The original article can be found at:https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2019-0665


Details

XXE during an EventPublisher update can occur in Management Console

Vulnerable Systems:

WSO2 API Manager 3.0.0 and earlier

WSO2 API Manager Analytics 2.5.0 and earlier

WSO2 API Microgateway 2.2.0

WSO2 Enterprise Integrator 6.4.0 and earlier

IS as Key Manager 5.9.0 and earlier

Identity Server 5.9.0 and earlier

Identity Server Analytics 5.6.0 and earlier.

 

CVE Information:

CVE-2020-12719

 

Disclosure Timeline:
Published Date:5/7/2020

Categories: News