CVE-2024-8010

Summary

The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits the unescaped external entity references.

By leveraging this vulnerability, a malicious actor can read confidential files from the product's file system or access limited HTTP resources reachable via HTTP GET requests to the vulnerable product.

Affected Software

VendorProductVersion RangeStatus
WSO2WSO2 API Manager0 < 3.2.0unknown
WSO2WSO2 API Manager3.2.0 < 3.2.0.397affected
WSO2WSO2 API Manager3.2.1 < 3.2.1.27affected
WSO2WSO2 API Manager4.0.0 < 4.0.0.310affected
WSO2WSO2 API Manager4.0.0 < 4.0.0.319affected
WSO2WSO2 API Manager4.1.0 < 4.1.0.171affected
WSO2WSO2 API Manager4.2.0 < 4.2.0.127affected
WSO2WSO2 API Manager4.3.0 < 4.3.0.39affected

Weaknesses

  • CWE-611: CWE-611: Improper Restriction of XML External Entity Reference ('XXE')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References