Very High
CVE-2020-24590
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2020-24590
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
The Management Console in WSO2 API Manager through 3.1.0 and API Microgateway 2.2.0 allows XML Entity Expansion attacks.
Add Assessment
Ratings
-
Attacker ValueVery High
-
ExploitabilityHigh
Technical Analysis
Severity: Critical
CVSS Score: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)
AFFECTED PRODUCTS
WSO2 API Manager : 3.1.0 or earlier
WSO2 API Microgateway : 2.2.0
An XML External Entity injection (XXE) often allows an attacker to view files on the server file system, and to interact with any backend or external systems that the application itself can access and allows the attacker to transmit sensitive data from the compromised server to a system that the attacker controls. An XML Entity Expansion attack might result in a denial-of-service condition, causing the entire application to stop functioning. It is possible to exploit both of the above vulnerabilities without authenticating to the Management Console.
CREDITS
Krzysztof Przybylski
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- wso2
Products
- api manager,
- api microgateway 2.2.0
References
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
