CVE-2023-6836 : Multiple WSO2 products have been identified as vulnerable due to an XML External

Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely used feature of XML parsers to access sensitive information.

Published 2023-12-15 10:15:09

Updated 2023-12-19 13:52:57

Source

View at NVD, CVE.org

Vulnerability category: XML external entity (XXE) injection

Products affected by CVE-2023-6836

Wso2 » Identity Server » Version: 5.5.0
cpe:2.3:a:wso2:identity_server:5.5.0:*:*:*:*:*:*:*
Matching versions
Wso2 » Identity Server » Version: 5.6.0
cpe:2.3:a:wso2:identity_server:5.6.0:*:*:*:*:*:*:*
Matching versions
Wso2 » Identity Server » Version: 5.4.0
cpe:2.3:a:wso2:identity_server:5.4.0:*:*:*:*:*:*:*
Matching versions
Wso2 » Identity Server » Version: 5.4.1
cpe:2.3:a:wso2:identity_server:5.4.1:*:*:*:*:*:*:*
Matching versions
Wso2 » Enterprise Integrator
Versions up to, including, (<=) 6.6.0
cpe:2.3:a:wso2:enterprise_integrator:*:*:*:*:*:*:*:*
Matching versions
Wso2 » Api Manager
Versions up to, including, (<=) 3.0.0
cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*
Matching versions
Wso2 » Identity Server As Key Manager » Version: 5.7.0
cpe:2.3:a:wso2:identity_server_as_key_manager:5.7.0:*:*:*:*:*:*:*
Matching versions
Wso2 » Identity Server As Key Manager » Version: 5.6.0
cpe:2.3:a:wso2:identity_server_as_key_manager:5.6.0:*:*:*:*:*:*:*
Matching versions
Wso2 » Identity Server As Key Manager » Version: 5.9.0
cpe:2.3:a:wso2:identity_server_as_key_manager:5.9.0:*:*:*:*:*:*:*
Matching versions
Wso2 » Identity Server As Key Manager » Version: 5.0.0
cpe:2.3:a:wso2:identity_server_as_key_manager:5.0.0:*:*:*:*:*:*:*
Matching versions
Wso2 » Api Manager Analytics » Version: 2.2.0
cpe:2.3:a:wso2:api_manager_analytics:2.2.0:*:*:*:*:*:*:*
Matching versions
Wso2 » Api Manager Analytics » Version: 2.5.0
cpe:2.3:a:wso2:api_manager_analytics:2.5.0:*:*:*:*:*:*:*
Matching versions
Wso2 » Api Microgateway » Version: 2.2.0
cpe:2.3:a:wso2:api_microgateway:2.2.0:*:*:*:*:*:*:*
Matching versions
Wso2 » Micro Integrator » Version: 1.0.0
cpe:2.3:a:wso2:micro_integrator:1.0.0:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-6836

EPSS FAQ

0.21%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 41 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-6836

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.6	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N	2.1	2.5	WSO2
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Unchanged Confidentiality: Low Integrity: Low Availability: None
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: None Availability: None

CWE ids for CVE-2023-6836

CWE-611 Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Assigned by:
- ed10eef1-636d-4fbe-9993-6890dfa878f8 (Secondary)
- nvd@nist.gov (Primary)

References for CVE-2023-6836

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-0716/

WSO2-2020-0716
Vendor Advisory

Jump to

Vulnerability Details : CVE-2023-6836

Products affected by CVE-2023-6836

Exploit prediction scoring system (EPSS) score for CVE-2023-6836

CVSS scores for CVE-2023-6836

CWE ids for CVE-2023-6836

References for CVE-2023-6836