CVE-2021-42646 Information
Jun 07, 2022
cve
Description
XML External Entity (XXE) vulnerability in the file based service provider creation feature of the Management Console in WSO2 API Manager 2.6.0 3.0.0 3.1.0 3.2.0 and 4.0.0; and WSO2 IS as Key Manager 5.7.0 5.9.0 and 5.10.0; and WSO2 Identity Server 5.7.0 5.8.0 5.9.0 5.10.0 and 5.11.0. Allows attackers to gain read access to sensitive information or cause a denial of service via crafted GET requests.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Reference
https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1289 https://github.com/wso2/carbon-identity-framework/pull/3472
Attack Complexity
LOW
Privileges Required
NONE
User Interaction Required
NONE
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
HIGH
Availability Impact
NONE
Base Score
HIGH
Base Severity
9.1
Share on: