WSO2 Management Console suffers from an XML external entity injection vulnerability.
3095603d2cabf6d7b0762bcd9407fb68679e7b5ca8286b67ddacafd70db1d62e
XML External Entity (XXE) vulnerability in the WSO2 Management Console
I. VULNERABILITY
-------------------------
XML External Entity (XXE)
II. CVE REFERENCE
-------------------------
CVE-2021-42646
III. VENDOR
-------------------------
https://wso2.com/
IV. TIMELINE
-------------------------
14/02/2021 Vulnerability discovered
14/02/2021 Vendor contacted
01/07/2021 WSO2 replay that they fixed
V. CREDIT
-------------------------
Hakan Bayir at Cyberwise.
VI. DESCRIPTION
-------------------------
An XML External Entity vulnerability was identified in the file based
service provider creation feature of the Management Console.
https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1289
VII. Remediation
-------------------------
If the latest version of the affected WSO2 product is not mentioned under
the affected product list, you may migrate to the latest version to receive
security fixes. Otherwise you may apply the relevant fixes to the product
based on the public fix:
https://github.com/wso2/carbon-identity-framework/pull/3472
--
Hakan Bayır