Plattform
java
Komponente
wso2-api-manager
Behoben in
3.2.0.397
3.2.0.397
3.2.1.27
4.0.0.310
4.0.0.319
4.1.0.171
4.2.0.127
4.3.0.39
CVE-2024-8010 addresses an Arbitrary File Access vulnerability in WSO2 API Manager. This flaw stems from the component's acceptance of XML input without disabling external entity resolution. Exploitation allows malicious actors to read confidential files or access limited HTTP resources. Affected versions include WSO2 API Manager from 0.0.0 through 4.3.0.39, with a fix available in version 4.3.0.39.
An attacker can exploit this vulnerability by submitting a specially crafted XML payload that leverages unescaped external entity references. This allows them to read files from the product's file system, potentially exposing sensitive configuration data, API keys, or other confidential information. Additionally, the attacker can access limited HTTP resources reachable via HTTP GET requests. While the CVSS score is low, the potential for data exposure and lateral movement within the API Manager environment warrants immediate attention. The blast radius extends to any system accessing or relying on the API Manager’s data.
CVE-2024-8010 is not currently tracked on KEV or EPSS. The CVSS score of 3.5 (LOW) suggests a relatively low probability of exploitation. No public Proof-of-Concept (POC) exploits are currently known. Published on 2026-04-16.
Organizations deploying WSO2 API Manager versions 0.0.0 through 4.3.0.39 are at risk. This includes those using the API Manager for managing and securing APIs, particularly those handling sensitive data or integrating with critical backend systems. Shared hosting environments utilizing WSO2 API Manager are also at increased risk due to potential cross-tenant vulnerabilities.
• java / server:
find /opt/wso2/apim/ -name 'xml-parser.xml' -print0 | xargs -0 grep -i 'externalEntityResolver'• generic web:
curl -I 'http://<api-manager-host>/publisher/xml-endpoint' # Check for XML response with external entity referencesdisclosure
Exploit-Status
EPSS
0.01% (0% Perzentil)
CISA SSVC
CVSS-Vektor
The recommended mitigation is to upgrade WSO2 API Manager to version 4.3.0.39 or later, which includes the fix for this vulnerability. If upgrading is not immediately possible, consider disabling external entity resolution in the XML parser configuration. Implement strict input validation and sanitization on all XML inputs to prevent malicious payloads from being processed. Monitor API Manager logs for suspicious activity related to XML parsing and external entity resolution. After upgrading, verify the fix by attempting to submit a crafted XML payload and confirming that file access is denied.
Actualice WSO2 API Manager a la versión 3.2.0.397 o superior, 3.2.1.27 o superior, 4.0.0.310 o superior, 4.0.0.319 o superior, 4.1.0.171 o superior, 4.2.0.127 o superior, o 4.3.0.39 o superior para mitigar la vulnerabilidad de inyección de entidades externas XML. Esta actualización deshabilita la resolución de entidades externas en el componente Publisher, previniendo la lectura de archivos arbitrarios.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-8010 is a vulnerability in WSO2 API Manager allowing attackers to read files by exploiting unescaped external entity references in XML input. It affects versions 0.0.0–4.3.0.39 and has a CVSS score of 3.5 (LOW).
You are affected if you are using WSO2 API Manager versions 0.0.0 through 4.3.0.39. Check your deployment version and upgrade if necessary.
Upgrade WSO2 API Manager to version 4.3.0.39 or later. As a temporary workaround, disable external entity resolution in the XML parser configuration.
Currently, there are no reports of active exploitation campaigns targeting CVE-2024-8010, but vigilance is still recommended.
Refer to the official WSO2 security advisory for CVE-2024-8010 on the WSO2 website.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.