Strix
26.1K

CVE-2024-2374

CRITICALCVSS 9.1/10EPSS 0.38%

Last modified

CVE-2024-2374 is a critical-severity vulnerability rated 9.1/10 on the CVSS scale. The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. This omission allows malicious actors to craft XML payloads that exploit the parser's behavior, leading to the inclusion of external resources. By leveraging this vulnerability, an attacker can read confidential files from the file system and access limited HTTP resources reachable by the product. EPSS estimates a 0.38% chance of exploitation in the next 30 days.

Description

The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. This omission allows malicious actors to craft XML payloads that exploit the parser's behavior, leading to the inclusion of external resources. By leveraging this vulnerability, an attacker can read confidential files from the file system and access limited HTTP resources reachable by the product. Additionally, the vulnerability can be exploited to perform denial of service attacks by exhausting server resources through recursive entity expansion or fetching large external resources.

Metrics

CVSS 3.1
9.1/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

EPSS Probability
0.38%

29.6th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
Wso2Api Manager>= 3.1.0, < 3.1.0.278
Wso2Api Manager>= 3.2.0, < 3.2.0.368
Wso2Api Manager>= 4.0.0, < 4.0.0.280
Wso2Api Manager>= 4.1.0, < 4.1.0.206
Wso2Api Manager>= 4.2.0, < 4.2.0.144
Wso2Api Manager>= 4.3.0, < 4.3.0.57
Wso2Identity Server>= 5.10.0, < 5.10.0.300
Wso2Identity Server>= 5.11.0, < 5.11.0.329
Wso2Identity Server>= 6.0.0, < 6.0.0.179
Wso2Identity Server>= 6.1.0, < 6.1.0.136
Wso2Identity Server As Key Manager>= 5.10.0, < 5.10.0.296
Wso2Open Banking Am>= 2.0.0, < 2.0.0.328
Wso2Open Banking Iam>= 2.0.0, < 2.0.0.348

References

Timeline

Published
Last Modified
Status
Analyzed

Frequently Asked Questions

What is CVE-2024-2374?
The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. This omission allows malicious actors to craft XML payloads that exploit the parser's behavior, leading to the inclusion of external resources. By leveraging this vulnerability, an attacker can read confidential files from the file system and access limited HTTP resources reachable by the product. Additionally, the vulnerability can be exploited to perform denial of service attacks by exhausting server resources through recursive entity expansion or fetching large external resources.
How severe is CVE-2024-2374?
CVE-2024-2374 has a CVSS score of 9.1/10 (CRITICAL severity). The EPSS model estimates a 0.38% probability of exploitation in the next 30 days.
How do I fix CVE-2024-2374?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2024-2374?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST