CVE-2021-42646

Name of the Vulnerable Software and Affected Versions WSO2 API Manager versions 2.6.0 through 4.0.0 WSO2 IS as Key Manager versions 5.7.0 through 5.10.0 WSO2 Identity Server versions 5.7.0 through 5.11.0

Description The issue allows attackers to gain read access to sensitive information or cause a denial of service via crafted GET requests. This is due to an XML External Entity (XXE) vulnerability in the file-based service provider creation feature of the Management Console.

Recommendations For WSO2 API Manager versions 2.6.0 through 4.0.0, update to a version that includes a fix for this issue. For WSO2 IS as Key Manager versions 5.7.0 through 5.10.0, update to a version that includes a fix for this issue. For WSO2 Identity Server versions 5.7.0 through 5.11.0, update to a version that includes a fix for this issue. As a temporary workaround, consider restricting access to the Management Console to minimize the risk of exploitation.