CVE-2024-2374

EPSS 0.38%
Veröffentlicht 16.04.2026 08:12:58
Zuletzt bearbeitet 23.04.2026 15:36:05
Quelle ed10eef1-636d-4fbe-9993-6890df
CVE-Watchlists
Login
Unerledigt
Login

XML External Entity Injection in Multiple WSO2 Products Allows Arbitrary file read and Denial of Service

The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. This omission allows malicious actors to craft XML payloads that exploit the parser's behavior, leading to the inclusion of external resources.

By leveraging this vulnerability, an attacker can read confidential files from the file system and access limited HTTP resources reachable by the product. Additionally, the vulnerability can be exploited to perform denial of service attacks by exhausting server resources through recursive entity expansion or fetching large external resources.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

NVD 13 VulnDex Vulnerability Enrichment 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Wso2 ≫ Api Manager Version >= 3.1.0 < 3.1.0.278

Wso2 ≫ Api Manager Version >= 3.2.0 < 3.2.0.368

Wso2 ≫ Api Manager Version >= 4.0.0 < 4.0.0.280

Wso2 ≫ Api Manager Version >= 4.1.0 < 4.1.0.206

Wso2 ≫ Api Manager Version >= 4.2.0 < 4.2.0.144

Wso2 ≫ Api Manager Version >= 4.3.0 < 4.3.0.57

Wso2 ≫ Identity Server Version >= 5.10.0 < 5.10.0.300

Wso2 ≫ Identity Server Version >= 5.11.0 < 5.11.0.329

Wso2 ≫ Identity Server Version >= 6.0.0 < 6.0.0.179

Wso2 ≫ Identity Server Version >= 6.1.0 < 6.1.0.136

Wso2 ≫ Identity Server As Key Manager Version >= 5.10.0 < 5.10.0.296

Wso2 ≫ Open Banking Am Version >= 2.0.0 < 2.0.0.328

Wso2 ≫ Open Banking Iam Version >= 2.0.0 < 2.0.0.348

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.38%	0.293

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.1	3.9	5.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
ed10eef1-636d-4fbe-9993-6890dfa878f8	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE-611 Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3255/

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-2374

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-2374

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-2374

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-2374