XXE during an EventPublisher update can occur in Management Console in WSO2 API Manager 3.0.0 and earlier, API Manager Analytics 2.5.0 and earlier, API Microgateway 2.2.0, Enterprise Integrator 6.4.0 and earlier, IS as Key Manager 5.9.0 and earlier, Identity Server 5.9.0 and earlier, and Identity Server Analytics 5.6.0 and earlier.
Weakness
The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Api_manager | Wso2 | * | 3.0.0 (including) |
| Api_manager_analytics | Wso2 | * | 2.5.0 (including) |
| Api_microgateway | Wso2 | 2.2.0 (including) | 2.2.0 (including) |
| Enterprise_integrator | Wso2 | * | 6.4.0 (including) |
| Identity_server | Wso2 | * | 5.9.0 (including) |
| Identity_server_analytics | Wso2 | * | 5.6.0 (including) |
| Identity_server_as_key_manager | Wso2 | * | 5.9.0 (including) |