Platform
java
Component
wso2-api-manager
Fixed in
3.1.0
3.1.0.278
3.2.0.368
4.0.0.280
4.1.0.206
4.2.0.144
4.3.0.57
5.10.0.300
5.10.0.300
5.11.0.329
CVE-2024-2374 represents a Denial of Service (DoS) vulnerability affecting WSO2 API Manager. Attackers can exploit this flaw by crafting malicious XML payloads that exhaust server resources, leading to service disruption. This vulnerability impacts versions from 0.0.0 through 6.1.0.136. A fix is available in version 6.1.0.136.
CVE-2024-2374 in WSO2 API Manager affects XML parsers within several WSO2 products. These parsers accept user-supplied XML data without properly configuring to prevent the resolution of external entities. This omission allows malicious actors to craft XML payloads that exploit the parser's behavior, leading to the inclusion of external resources. The potential impact includes reading confidential files from the file system and accessing limited HTTP resources reachable by the product. The root cause is a lack of protection against XML External Entity (XXE) injection, enabling an attacker to manipulate the XML parser's data flow.
An attacker could exploit this vulnerability by sending a specially crafted XML payload to an endpoint that processes XML data. This payload could contain references to local files or external HTTP resources. If the XML parser is not configured correctly, it might include these resources, allowing the attacker to access confidential information or execute malicious code. The complexity of exploitation depends on the specific WSO2 product configuration and the attacker's ability to create an effective XML payload. Lack of input validation is a key factor facilitating exploitation.
Exploit Status
EPSS
0.01% (3% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-2374 is to upgrade to WSO2 API Manager version 6.1.0.136 or a later version that includes the fix. Additionally, it is recommended to disable external entity resolution in XML parsers whenever possible. This can be achieved by configuring the XML parser properties to prevent the loading of external resources. Reviewing and hardening the security configurations of WSO2 products is crucial to prevent future attacks. Monitoring system logs for suspicious activity related to XML processing is also a recommended practice.
Actualice WSO2 API Manager a una versión corregida (3.1.0 o superior) para mitigar la vulnerabilidad de inyección de entidades externas XML. Configure correctamente el analizador XML para deshabilitar la resolución de entidades externas o utilice una lista blanca de entidades permitidas. Consulte la documentación oficial de WSO2 para obtener instrucciones detalladas.
Vulnerability analysis and critical alerts directly to your inbox.
XXE is a security vulnerability that allows attackers to manipulate the data flow of an XML parser to access unauthorized resources.
All versions prior to 6.1.0.136 are vulnerable to CVE-2024-2374.
Check the version of WSO2 API Manager you are using. If it's older than 6.1.0.136, it is vulnerable.
Disabling external entity resolution in the XML parser configuration is a temporary workaround, but not a complete solution.
Refer to the official WSO2 documentation and security advisories for more details.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.