Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Published: 04th June 2nd September 2021

Version: 12.0.0

Severity: Medium

CVSS Score: 4.3 (CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L)

...

If a malicious XML payload can be submitted to the XML parser here, then the attacker could read confidential data from the file system or access HTTP resources that are reachable to the vulnerable product. The same vulnerability could be used in performing a denial of service attack.


SOLUTION

If you are using an affected product version, it is highly recommended to migrate to the latest released version to the latest version of the affected WSO2 product is not mentioned under the affected product list, you may migrate to the latest version to receive security fixes. You Otherwise you may also apply the relevant fixes to the product based on the changes from the public fix: https://github.com/wso2/carbon-kernel/pull/2927

NOTES

Note: If you are a WSO2 customer with Support Subscription, please use the Update 2.0 or WUM to update the products WSO2 Updates in order to apply the fix.