CVE-2023-6836

Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely used feature of XML parsers to access sensitive information.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-0716/	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:a:wso2:api_manager_analytics:2.2.0:::::::*
	cpe:2.3:a:wso2:api_manager_analytics:2.5.0:::::::*

Configuration 3 (hide)

cpe:2.3:a:wso2:api_microgateway:2.2.0:*:*:*:*:*:*:*

Configuration 4 (hide)

cpe:2.3:a:wso2:enterprise_integrator:*:*:*:*:*:*:*:*

Configuration 5 (hide)

OR	cpe:2.3:a:wso2:identity_server_as_key_manager:5.0.0:::::::*
	cpe:2.3:a:wso2:identity_server_as_key_manager:5.6.0:::::::*
	cpe:2.3:a:wso2:identity_server_as_key_manager:5.7.0:::::::*
	cpe:2.3:a:wso2:identity_server_as_key_manager:5.9.0:::::::*

Configuration 6 (hide)

OR	cpe:2.3:a:wso2:identity_server:5.4.0:::::::*
	cpe:2.3:a:wso2:identity_server:5.4.1:::::::*
	cpe:2.3:a:wso2:identity_server:5.5.0:::::::*
	cpe:2.3:a:wso2:identity_server:5.6.0:::::::*

Configuration 7 (hide)

cpe:2.3:a:wso2:micro_integrator:1.0.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2023-12-15 10:15

Updated : 2023-12-19 13:52

NVD link : CVE-2023-6836

Mitre link : CVE-2023-6836

CVE.ORG link : CVE-2023-6836

JSON object : View

Products Affected

wso2

enterprise_integrator
api_microgateway
identity_server_as_key_manager
api_manager_analytics
identity_server
micro_integrator
api_manager

CWE

CWE-611

Improper Restriction of XML External Entity Reference

{"id": "CVE-2023-6836", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Secondary", "source": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.6, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 2.1}]}, "published": "2023-12-15T10:15:09.407", "references": [{"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-0716/", "tags": ["Vendor Advisory"], "source": "ed10eef1-636d-4fbe-9993-6890dfa878f8"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-611"}]}, {"type": "Secondary", "source": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "description": [{"lang": "en", "value": "CWE-611"}]}], "descriptions": [{"lang": "en", "value": "Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely used feature of XML parsers to access sensitive information."}, {"lang": "es", "value": "Se han identificado varios productos WSO2 como vulnerables debido a que un ataque de entidad externa XML (XXE) abusa de una caracter\u00edstica ampliamente disponible pero rara vez utilizada de los analizadores XML para acceder a informaci\u00f3n confidencial."}], "lastModified": "2023-12-19T13:52:56.807", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "80465515-637E-46D9-9F36-063B8549A539", "versionEndIncluding": "3.0.0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wso2:api_manager_analytics:2.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "ADEAF56C-4583-40A6-826F-01AC86191AD7"}, {"criteria": "cpe:2.3:a:wso2:api_manager_analytics:2.5.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "04A2A50A-872E-4CC7-BBB7-3E0956176AAC"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wso2:api_microgateway:2.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "79CDDE83-4CB6-4DA3-8E96-FCDA4F5C1E93"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wso2:enterprise_integrator:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "16E39585-2B28-4631-A62F-27F17DC9AB4A", "versionEndIncluding": "6.6.0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C016AEE9-7BF7-4BD8-913A-1BA02B2464CF"}, {"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.6.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2E5761F7-C287-4EC4-A899-C54FB4E80A35"}, {"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.7.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3B184BFC-8E1A-4971-B6D2-C594742AB8CE"}, {"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.9.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EA51AC1B-0BF6-44F6-B034-CAD4F623DD76"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wso2:identity_server:5.4.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B9E7D773-A7CE-4AB8-828B-C2E7DC2799AD"}, {"criteria": "cpe:2.3:a:wso2:identity_server:5.4.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CEA63B98-D4B4-4FCD-A869-FE64BC21A1B6"}, {"criteria": "cpe:2.3:a:wso2:identity_server:5.5.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8DA0050E-D5DD-45E5-9F61-DC1BB060EFF0"}, {"criteria": "cpe:2.3:a:wso2:identity_server:5.6.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "26542F95-73F3-4906-838E-A66F5DC9DFA5"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wso2:micro_integrator:1.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "A690D484-8402-4D45-833D-373D1713FA49"}], "operator": "OR"}]}], "sourceIdentifier": "ed10eef1-636d-4fbe-9993-6890dfa878f8"}