CVE-2023-6836 - OpenCVE

Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely used feature of XML parsers to access sensitive information.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Wso2	Api Microgateway Identity Server As Key Manager Identity Server Enterprise Integrator Api Manager Micro Integrator Api Manager Analytics

Configuration 1 [-]

cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:a:wso2:api_manager_analytics:2.2.0:::::::*
	cpe:2.3:a:wso2:api_manager_analytics:2.5.0:::::::*

Configuration 3 [-]

cpe:2.3:a:wso2:api_microgateway:2.2.0:*:*:*:*:*:*:*

Configuration 4 [-]

cpe:2.3:a:wso2:enterprise_integrator:*:*:*:*:*:*:*:*

Configuration 5 [-]

OR	cpe:2.3:a:wso2:identity_server_as_key_manager:5.0.0:::::::*
	cpe:2.3:a:wso2:identity_server_as_key_manager:5.6.0:::::::*
	cpe:2.3:a:wso2:identity_server_as_key_manager:5.7.0:::::::*
	cpe:2.3:a:wso2:identity_server_as_key_manager:5.9.0:::::::*

Configuration 6 [-]

OR	cpe:2.3:a:wso2:identity_server:5.4.0:::::::*
	cpe:2.3:a:wso2:identity_server:5.4.1:::::::*
	cpe:2.3:a:wso2:identity_server:5.5.0:::::::*
	cpe:2.3:a:wso2:identity_server:5.6.0:::::::*

Configuration 7 [-]

cpe:2.3:a:wso2:micro_integrator:1.0.0:*:*:*:*:*:*:*

References

Link	Resource
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-0716/	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: WSO2

Published: 2023-12-15T09:26:01.323Z

Updated: 2024-01-09T05:03:32.570Z

Reserved: 2023-12-15T09:25:13.205Z

Link: CVE-2023-6836

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-12-15T10:15:09.407

Modified: 2023-12-19T13:52:56.807

Link: CVE-2023-6836

JSON object: View

Redhat Information

No data.

CWE

CWE-611

{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"cveId": "CVE-2023-6836", "assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "state": "PUBLISHED", "assignerShortName": "WSO2", "dateReserved": "2023-12-15T09:25:13.205Z", "datePublished": "2023-12-15T09:26:01.323Z", "dateUpdated": "2024-01-09T05:03:32.570Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "WSO2 API Manager ", "repo": "https://github.com/wso2/product-apim", "vendor": "WSO2", "versions": [{"lessThan": "3.0.0.0", "status": "unknown", "version": "0", "versionType": "custom"}, {"lessThan": "3.0.0.1", "status": "affected", "version": "3.0.0.0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "WSO2 API Manager Analytics", "repo": "https://github.com/wso2/analytics-apim", "vendor": "WSO2", "versions": [{"lessThan": "2.2.0.0", "status": "unknown", "version": "0", "versionType": "custom"}, {"lessThan": "2.2.0.1", "status": "affected", "version": "2.2.0.0", "versionType": "custom"}, {"lessThan": "2.5.0.1", "status": "affected", "version": "2.5.0.0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "WSO2 API Microgateway", "vendor": "WSO2", "versions": [{"lessThan": "2.2.0.0", "status": "unknown", "version": "0", "versionType": "custom"}, {"lessThan": "2.2.0.1", "status": "affected", "version": "2.2.0.0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "WSO2 Enterprise Integrator", "repo": "https://github.com/wso2/product-ei", "vendor": "WSO2", "versions": [{"lessThan": "6.0.0.2", "status": "unknown", "version": "0", "versionType": "custom"}, {"lessThan": "6.0.0.3", "status": "affected", "version": "6.0.0.0", "versionType": "custom"}, {"lessThan": "6.1.0.5", "status": "affected", "version": "6.1.0.0", "versionType": "custom"}, {"lessThan": "6.1.1.5", "status": "affected", "version": "6.1.1.0", "versionType": "custom"}, {"lessThan": "6.6.0.1", "status": "affected", "version": "6.6.0.0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "WSO2 IS as Key Manager", "vendor": "WSO2", "versions": [{"lessThan": "5.5.0.0", "status": "unknown", "version": "0", "versionType": "custom"}, {"lessThan": "5.5.0.1", "status": "affected", "version": "5.5.0.0", "versionType": "custom"}, {"lessThan": "5.6.0.1", "status": "affected", "version": "5.6.0.0", "versionType": "custom"}, {"lessThan": "5.7.0.1", "status": "affected", "version": "5.7.0.0", "versionType": "custom"}, {"lessThan": "5.9.0.1", "status": "affected", "version": "5.9.0.0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "WSO2 Identity Server", "repo": "https://github.com/wso2/product-is", "vendor": "WSO2", "versions": [{"lessThan": "5.4.0.0", "status": "unknown", "version": "0", "versionType": "custom"}, {"lessThan": "5.4.0.1", "status": "affected", "version": "5.4.0.0", "versionType": "custom"}, {"lessThan": "5.4.1.1", "status": "affected", "version": "5.4.1.0", "versionType": "custom"}, {"lessThan": "5.5.0.1", "status": "affected", "version": "5.5.0.0", "versionType": "custom"}, {"lessThan": "5.6.0.1", "status": "affected", "version": "5.6.0.0", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "WSO2 Micro Integrator", "vendor": "WSO2", "versions": [{"lessThan": "1.0.0.0", "status": "unknown", "version": "0", "versionType": "custom"}, {"lessThan": "1.0.0.1", "status": "affected", "version": "1.0.0.0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely used feature of XML parsers to access sensitive information."}], "value": "Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely used feature of XML parsers to access sensitive information."}], "impacts": [{"capecId": "CAPEC-250", "descriptions": [{"lang": "en", "value": "CAPEC-250 XML Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-611", "description": "CWE-611 Improper Restriction of XML External Entity Reference", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "shortName": "WSO2", "dateUpdated": "2024-01-09T05:03:32.570Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-0716/"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "For WSO2 Subscription holders, the recommended solution is to apply the provided patch/update to the affected versions of the products. If there are any instructions given with the patch/update, please make sure those are followed properly.<br><br>Community users may apply the relevant fixes to the product based on the public fix(s) advertised in <a target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-0716/\">https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-0716/</a><br>"}], "value": "For WSO2 Subscription holders, the recommended solution is to apply the provided patch/update to the affected versions of the products. If there are any instructions given with the patch/update, please make sure those are followed properly.\n\nCommunity users may apply the relevant fixes to the product based on the public fix(s) advertised in https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-0716/ https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-0716/ \n"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "80465515-637E-46D9-9F36-063B8549A539", "versionEndIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wso2:api_manager_analytics:2.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "ADEAF56C-4583-40A6-826F-01AC86191AD7", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:api_manager_analytics:2.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "04A2A50A-872E-4CC7-BBB7-3E0956176AAC", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wso2:api_microgateway:2.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "79CDDE83-4CB6-4DA3-8E96-FCDA4F5C1E93", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wso2:enterprise_integrator:*:*:*:*:*:*:*:*", "matchCriteriaId": "16E39585-2B28-4631-A62F-27F17DC9AB4A", "versionEndIncluding": "6.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "C016AEE9-7BF7-4BD8-913A-1BA02B2464CF", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.6.0:*:*:*:*:*:*:*", "matchCriteriaId": "2E5761F7-C287-4EC4-A899-C54FB4E80A35", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.7.0:*:*:*:*:*:*:*", "matchCriteriaId": "3B184BFC-8E1A-4971-B6D2-C594742AB8CE", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.9.0:*:*:*:*:*:*:*", "matchCriteriaId": "EA51AC1B-0BF6-44F6-B034-CAD4F623DD76", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wso2:identity_server:5.4.0:*:*:*:*:*:*:*", "matchCriteriaId": "B9E7D773-A7CE-4AB8-828B-C2E7DC2799AD", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:identity_server:5.4.1:*:*:*:*:*:*:*", "matchCriteriaId": "CEA63B98-D4B4-4FCD-A869-FE64BC21A1B6", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:identity_server:5.5.0:*:*:*:*:*:*:*", "matchCriteriaId": "8DA0050E-D5DD-45E5-9F61-DC1BB060EFF0", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:identity_server:5.6.0:*:*:*:*:*:*:*", "matchCriteriaId": "26542F95-73F3-4906-838E-A66F5DC9DFA5", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wso2:micro_integrator:1.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "A690D484-8402-4D45-833D-373D1713FA49", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely used feature of XML parsers to access sensitive information."}, {"lang": "es", "value": "Se han identificado varios productos WSO2 como vulnerables debido a que un ataque de entidad externa XML (XXE) abusa de una caracter\u00edstica ampliamente disponible pero rara vez utilizada de los analizadores XML para acceder a informaci\u00f3n confidencial."}], "id": "CVE-2023-6836", "lastModified": "2023-12-19T13:52:56.807", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 2.5, "source": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "type": "Secondary"}]}, "published": "2023-12-15T10:15:09.407", "references": [{"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "tags": ["Vendor Advisory"], "url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-0716/"}], "sourceIdentifier": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-611"}], "source": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "type": "Secondary"}]}