Crnkovic

**Name of the Vulnerable Software and Affected Versions** file-type versions prior to 21.3.1 **Description** A denial of service issue exists in the ASF (WMV/WMA) file type detection parser within file-type. When processing a specially crafted input where an ASF sub-header has a size field of zero, the parser gets stuck in an infinite loop. The payload value becomes negative (-24), causing `tokenizer.ignore(payload)` to move the read position backwards, repeatedly reading the same sub-header. Applications utilizing file-type to detect the type of untrusted input are susceptible. An attacker can disrupt the Node.js event loop with a 55-byte payload. **Recommendations** Update to version 21.3.1 or later.

**Name of the Vulnerable Software and Affected Versions** WSO2 API Manager versions 2.0.0 and earlier **Description** An XML External Entity (XXE) vulnerability exists in the gateway component of WSO2 API Manager due to insufficient validation of XML input in crafted URL paths. User-supplied XML is parsed without appropriate restrictions, enabling external entity resolution. A remote, unauthenticated attacker can exploit this to read files from the server’s filesystem or perform denial-of-service (DoS) attacks. On systems running JDK 7 or early JDK 8, the full content of files may be exposed. On later versions of JDK 8 and newer, only the first line of a file may be read due to improvements in XML parser behavior. DoS attacks, such as "Billion Laughs" payloads, can cause service disruption. **Recommendations** Apply the patch WSO2-2016-0151 to versions 2.0.0 and earlier.