Platform
java
Component
wso2-api-manager
Fixed in
3.2.0.397
3.2.0.397
3.2.1.27
4.0.0.310
4.0.0.319
4.1.0.171
4.2.0.127
4.3.0.39
CVE-2024-8010 describes an Arbitrary File Access vulnerability affecting WSO2 API Manager versions 0.0.0 through 4.3.0.39. This vulnerability allows attackers to read sensitive files from the system or access limited HTTP resources by crafting malicious XML payloads. The vulnerability stems from the component's acceptance of XML input without disabling external entity resolution. A fix is available in version 4.3.0.39.
An attacker can exploit CVE-2024-8010 by submitting a specially crafted XML payload to the publisher endpoint. This payload leverages unescaped external entity references, allowing the attacker to trigger the retrieval and potential disclosure of files from the API Manager's file system. The scope of accessible files depends on the API Manager's configuration and permissions. Successful exploitation could lead to the exposure of sensitive configuration data, API keys, or other confidential information. The attacker can also leverage this to access limited HTTP resources reachable from the server, potentially revealing internal network details or accessing external services through the compromised API Manager instance.
CVE-2024-8010 has been published on 2026-04-16. The CVSS score is LOW (3.5), indicating a relatively low probability of exploitation. No public proof-of-concept (POC) code is currently available. The vulnerability is not currently listed on the CISA KEV catalog. Active exploitation campaigns are not currently known.
Exploit Status
EPSS
0.01% (0% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-8010 is to upgrade WSO2 API Manager to version 4.3.0.39 or later, which includes the fix for this vulnerability. If upgrading immediately is not feasible, consider implementing temporary workarounds. Disable external entity resolution in the XML parser configuration. Restrict file system access permissions for the API Manager user account to minimize the potential impact of a successful exploit. Implement input validation and sanitization to prevent the injection of malicious XML payloads. Monitor API Manager logs for suspicious activity, such as unusual file access attempts or XML parsing errors.
Update WSO2 API Manager to version 3.2.0.397 or later, 3.2.1.27 or later, 4.0.0.310 or later, 4.0.0.319 or later, 4.1.0.171 or later, 4.2.0.127 or later, or 4.3.0.39 or later to mitigate the XML External Entity Injection vulnerability. This update disables external entity resolution in the Publisher component, preventing the reading of arbitrary files.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-8010 is a vulnerability in WSO2 API Manager allowing attackers to read files by exploiting unescaped external entity references in XML input. It affects versions 0.0.0–4.3.0.39 and has a CVSS score of 3.5 (LOW).
You are affected if you are using WSO2 API Manager versions 0.0.0 through 4.3.0.39. Check your deployment version and upgrade if necessary.
Upgrade WSO2 API Manager to version 4.3.0.39 or later. As a temporary workaround, disable external entity resolution in the XML parser configuration.
Currently, there are no reports of active exploitation campaigns targeting CVE-2024-8010, but vigilance is still recommended.
Refer to the official WSO2 security advisory for CVE-2024-8010 on the WSO2 website.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.