CVE-2023-6836: XEE
First published: Fri Dec 15 2023(Updated: )
Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely used feature of XML parsers to access sensitive information.
Credit: ed10eef1-636d-4fbe-9993-6890dfa878f8 ed10eef1-636d-4fbe-9993-6890dfa878f8
| Affected Software | Affected Version | How to fix |
|---|---|---|
| WSO2 API Manager | <=3.0.0 | |
| Wso2 Api Manager Analytics | =2.2.0 | |
| Wso2 Api Manager Analytics | =2.5.0 | |
| WSO2 API Microgateway | =2.2.0 | |
| WSO2 Enterprise Integrator | <=6.6.0 | |
| WSO2 Identity Server as Key Manager | =5.0.0 | |
| WSO2 Identity Server as Key Manager | =5.6.0 | |
| WSO2 Identity Server as Key Manager | =5.7.0 | |
| WSO2 Identity Server as Key Manager | =5.9.0 | |
| WSO2 Identity Server | =5.4.0 | |
| WSO2 Identity Server | =5.4.1 | |
| WSO2 Identity Server | =5.5.0 | |
| WSO2 Identity Server | =5.6.0 | |
| WSO2 Micro Integrator | =1.0.0 | |
| maven/org.wso2.carbon.governance:org.wso2.carbon.governance.common | <4.8.13 | 4.8.13 |
| maven/org.wso2.carbon.analytics-common:org.wso2.carbon.event.input.adapter.core | <5.2.23 | 5.2.23 |
| maven/org.wso2.carbon.event-processing:org.wso2.carbon.event.processor.core | <2.2.12 | 2.2.12 |
| maven/org.wso2.carbon.registry:org.wso2.carbon.registry.extensions | <4.7.31 | 4.7.31 |
| maven/org.wso2.am:wso2am | <4.0.0-beta | 4.0.0-beta |
| maven/org.wso2.carbon.commons:org.wso2.carbon.ntask.core | <4.7.24 | 4.7.24 |
Remedy
For WSO2 Subscription holders, the recommended solution is to apply the provided patch/update to the affected versions of the products. If there are any instructions given with the patch/update, please make sure those are followed properly. Community users may apply the relevant fixes to the product based on the public fix(s) advertised in https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-0716/ https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-0716/
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2023-6836
- https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-0716/
- https://github.com/wso2/carbon-analytics-common/commit/9478336859306d3ea13b25cb386f29c183707fde
- https://github.com/wso2/carbon-commons/commit/a08a587e3dd5146121a7b47a0fdd06ddbcd903f4
- https://github.com/wso2/carbon-event-processing/commit/e9953afd46a45f704de341a081f710cbdfa3f975
- https://github.com/wso2/carbon-governance/commit/ad36968d5a11d4fc35fa5cc4e8b5ae9a04e5bb4c
- https://github.com/wso2/carbon-registry/commit/738b2a0b3e5f118527da236467ed72d9fd9ce40e
- https://github.com/wso2/product-apim/commit/96e8f5d6566d57bbbb8d4257f6f55057a79d00b5
- https://github.com/advisories/GHSA-cr8h-fr86-8vfv (Advisory)
- collector/nvd-api
- collector/github-advisory-latest
- alias/GHSA-cr8h-fr86-8vfv
- alias/CVE-2023-6836
- collector/nvd-cve
- collector/github-advisory
- agent/author
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- agent/remedy
- agent/severity
- agent/weakness
- agent/references
- agent/description
- agent/event
- agent/tags
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- vendor/wso2
- canonical/wso2 api manager
- version/wso2 api manager/3.0.0
- canonical/wso2 api manager analytics
- version/wso2 api manager analytics/2.2.0
- version/wso2 api manager analytics/2.5.0
- canonical/wso2 api microgateway
- version/wso2 api microgateway/2.2.0
- canonical/wso2 enterprise integrator
- version/wso2 enterprise integrator/6.6.0
- canonical/wso2 identity server as key manager
- version/wso2 identity server as key manager/5.0.0
- version/wso2 identity server as key manager/5.6.0
- version/wso2 identity server as key manager/5.7.0
- version/wso2 identity server as key manager/5.9.0
- canonical/wso2 identity server
- version/wso2 identity server/5.4.0
- version/wso2 identity server/5.4.1
- version/wso2 identity server/5.5.0
- version/wso2 identity server/5.6.0
- canonical/wso2 micro integrator
- version/wso2 micro integrator/1.0.0
- package-manager/maven