CVE-2024-2374

EPSS 0.01%
Veröffentlicht 16.04.2026 08:12:58
Zuletzt bearbeitet 17.04.2026 15:38:09
Quelle ed10eef1-636d-4fbe-9993-6890df
CVE-Watchlists
Login
Unerledigt
Login

The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. This omission allows malicious actors to craft XML payloads that exploit the parser's behavior, leading to the inclusion of external resources.

By leveraging this vulnerability, an attacker can read confidential files from the file system and access limited HTTP resources reachable by the product. Additionally, the vulnerability can be exploited to perform denial of service attacks by exhausting server resources through recursive entity expansion or fetching large external resources.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerWSO2

≫

Produkt WSO2 API Manager

Default Statusunaffected

Version < 3.1.0

Version 0

Status unknown

Version < 3.1.0.278

Version 3.1.0

Status affected

Version < 3.2.0.368

Version 3.2.0

Status affected

Version < 4.0.0.280

Version 4.0.0

Status affected

Version < 4.1.0.206

Version 4.1.0

Status affected

Version < 4.2.0.144

Version 4.2.0

Status affected

Version < 4.3.0.57

Version 4.3.0

Status affected

HerstellerWSO2

≫

Produkt WSO2 Identity Server

Default Statusunaffected

Version < 5.10.0

Version 0

Status unknown

Version < 5.10.0.300

Version 5.10.0

Status affected

Version < 5.11.0.329

Version 5.11.0

Status affected

Version < 6.0.0.179

Version 6.0.0

Status affected

Version < 6.1.0.136

Version 6.1.0

Status affected

HerstellerWSO2

≫

Produkt WSO2 Open Banking AM

Default Statusunaffected

Version < 2.0.0

Version 0

Status unknown

Version < 2.0.0.328

Version 2.0.0

Status affected

HerstellerWSO2

≫

Produkt WSO2 Open Banking IAM

Default Statusunaffected

Version < 2.0.0

Version 0

Status unknown

Version < 2.0.0.348

Version 2.0.0

Status affected

HerstellerWSO2

≫

Produkt WSO2 Identity Server as Key Manager

Default Statusunaffected

Version < 5.10.0

Version 0

Status unknown

Version < 5.10.0.296

Version 5.10.0

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.01%	0.012

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
ed10eef1-636d-4fbe-9993-6890dfa878f8	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-611 Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3255/

https://nvd.nist.gov/vuln/detail/CVE-2024-2374

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-2374

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-2374

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-2374