Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1jcjhoLWZyODYtOHZmds4AA3y-

WSO2 products vulnerable to XML External Entity attack

Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely used feature of XML parsers to access sensitive information.

Permalink: https://github.com/advisories/GHSA-cr8h-fr86-8vfv
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jcjhoLWZyODYtOHZmds4AA3y-
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 9 months ago
Updated: 9 months ago

CVSS Score: 4.6
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Identifiers: GHSA-cr8h-fr86-8vfv, CVE-2023-6836
References:

Repository: https://github.com/wso2/carbon-analytics-common
Blast Radius: 7.6

Affected Packages

maven:org.wso2.carbon.governance:org.wso2.carbon.governance.common

Dependent packages: 5
Dependent repositories: 4
Downloads:
Affected Version Ranges: < 4.8.13
Fixed in: 4.8.13
All affected versions: 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.5.4, 4.5.5, 4.5.6, 4.5.7, 4.5.8, 4.5.9, 4.6.0, 4.6.1, 4.6.2, 4.6.3, 4.6.4, 4.6.5, 4.7.0, 4.7.1, 4.7.2, 4.7.3, 4.7.4, 4.7.5, 4.7.6, 4.7.7, 4.7.8, 4.7.9, 4.7.10, 4.7.11, 4.7.12, 4.7.13, 4.7.14, 4.7.15, 4.7.16, 4.7.17, 4.7.18, 4.7.19, 4.7.20, 4.7.21, 4.7.22, 4.7.23, 4.7.24, 4.7.25, 4.7.26, 4.7.27, 4.7.28, 4.7.29, 4.8.9, 4.8.10
All unaffected versions: 4.8.13, 4.8.14, 4.8.15, 4.8.16, 4.8.17, 4.8.18, 4.8.19, 4.8.21, 4.8.22, 4.8.23, 4.8.24, 4.8.25, 4.8.26, 4.8.27, 4.8.28, 4.8.30, 4.8.31, 4.8.33

maven:org.wso2.carbon.analytics-common:org.wso2.carbon.event.input.adapter.core

Dependent packages: 27
Dependent repositories: 6
Downloads:
Affected Version Ranges: < 5.2.23
Fixed in: 5.2.23
All affected versions: 1.0.0, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.1.0, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.1.8, 5.1.9, 5.1.11, 5.1.12, 5.1.13, 5.1.14, 5.1.15, 5.1.16, 5.1.17, 5.1.18, 5.1.19, 5.1.20, 5.1.21, 5.1.22, 5.1.23, 5.1.24, 5.1.25, 5.1.26, 5.1.27, 5.1.28, 5.1.29, 5.1.30, 5.1.31, 5.1.32, 5.1.33, 5.1.34, 5.1.35, 5.1.36, 5.1.37, 5.1.38, 5.1.39, 5.1.40, 5.1.41, 5.1.42, 5.1.43, 5.1.44, 5.1.45, 5.1.46, 5.1.47, 5.1.48, 5.1.49, 5.1.50, 5.1.51, 5.1.52, 5.1.53, 5.1.54, 5.1.55, 5.1.56, 5.1.57, 5.1.59, 5.1.61, 5.1.62, 5.1.63, 5.2.11, 5.2.12, 5.2.13, 5.2.19
All unaffected versions: 5.2.23, 5.2.24, 5.2.25, 5.2.26, 5.2.27, 5.2.28, 5.2.29, 5.2.30, 5.2.31, 5.2.32, 5.2.33, 5.2.34, 5.2.35, 5.2.36, 5.2.37, 5.2.38, 5.2.44, 5.2.45, 5.2.46, 5.2.47, 5.2.48, 5.2.49, 5.2.51, 5.2.52, 5.3.0, 5.3.1, 5.3.3, 5.3.4, 5.3.5, 5.3.8, 5.3.10, 5.3.11, 5.3.12, 5.3.13

maven:org.wso2.carbon.event-processing:org.wso2.carbon.event.processor.core

Dependent packages: 9
Dependent repositories: 8
Downloads:
Affected Version Ranges: < 2.2.12
Fixed in: 2.2.12
All affected versions: 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.10, 2.0.11, 2.0.12, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.5, 2.1.6, 2.1.7, 2.1.8, 2.1.9, 2.1.10, 2.1.11, 2.1.12, 2.1.13, 2.1.14, 2.1.15, 2.1.16, 2.1.17, 2.1.18, 2.1.19, 2.1.20, 2.1.21, 2.1.22, 2.1.23, 2.1.24, 2.1.25, 2.1.26, 2.1.27, 2.1.28, 2.1.29, 2.2.6
All unaffected versions: 2.2.12, 2.2.13, 2.2.14, 2.2.15, 2.2.16, 2.3.0, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.10, 2.3.11, 2.3.12, 2.3.13

maven:org.wso2.carbon.registry:org.wso2.carbon.registry.extensions

Dependent packages: 48
Dependent repositories: 16
Downloads:
Affected Version Ranges: < 4.7.31
Fixed in: 4.7.31
All affected versions: 4.6.11, 4.6.12, 4.6.13, 4.6.14, 4.6.15, 4.6.16, 4.6.17, 4.6.18, 4.6.19, 4.6.20, 4.6.21, 4.6.22, 4.6.23, 4.6.24, 4.6.25, 4.6.26, 4.6.27, 4.6.28, 4.6.29, 4.6.30, 4.6.31, 4.6.32, 4.6.33, 4.6.34, 4.6.35, 4.6.36, 4.6.37, 4.6.38, 4.6.39, 4.6.40, 4.6.41, 4.6.42, 4.7.13, 4.7.14, 4.7.15, 4.7.16, 4.7.17, 4.7.25, 4.7.26, 4.7.27, 4.7.28
All unaffected versions: 4.7.31, 4.7.32, 4.7.33, 4.7.34, 4.7.35, 4.7.36, 4.7.37, 4.7.38, 4.7.39, 4.7.40, 4.7.41, 4.7.42, 4.7.43, 4.7.44, 4.7.45, 4.7.46, 4.7.47, 4.7.48, 4.7.49, 4.7.50, 4.8.0, 4.8.1, 4.8.2, 4.8.7, 4.8.8, 4.8.9, 4.8.10, 4.8.11, 4.8.12, 4.8.13, 4.8.14, 4.8.15, 4.8.21, 4.8.23, 4.8.24, 4.8.30, 4.8.33, 4.8.35

maven:org.wso2.am:wso2am

Affected Version Ranges: < 4.0.0-beta
Fixed in: 4.0.0-beta

maven:org.wso2.carbon.commons:org.wso2.carbon.ntask.core

Dependent packages: 31
Dependent repositories: 44
Downloads:
Affected Version Ranges: < 4.7.24
Fixed in: 4.7.24
All affected versions: 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.4.0, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.4.6, 4.4.7, 4.4.8, 4.4.9, 4.5.0, 4.5.1, 4.5.2, 4.5.3, 4.5.4, 4.5.5, 4.5.7, 4.5.8, 4.5.9, 4.5.10, 4.5.11, 4.5.12, 4.6.0, 4.6.1, 4.6.2, 4.6.3, 4.6.4, 4.6.5, 4.6.6, 4.6.7, 4.6.8, 4.6.9, 4.6.10, 4.6.11, 4.6.12, 4.6.13, 4.6.14, 4.6.15, 4.6.16, 4.6.17, 4.6.18, 4.6.19, 4.6.20, 4.6.21, 4.6.22, 4.6.23, 4.6.24, 4.6.25, 4.6.26, 4.6.27, 4.6.28, 4.6.29, 4.6.30, 4.6.31, 4.6.32, 4.6.33, 4.6.34, 4.6.35, 4.6.36, 4.6.37, 4.6.38, 4.6.39, 4.6.40, 4.6.41, 4.6.42, 4.6.43, 4.6.44, 4.6.45, 4.6.46, 4.6.47, 4.6.48, 4.6.49, 4.6.50, 4.6.51, 4.6.52, 4.6.53, 4.6.54, 4.6.55, 4.6.56, 4.6.57, 4.6.58, 4.6.59, 4.6.60, 4.6.61, 4.6.62, 4.6.63, 4.6.64, 4.6.65, 4.7.12, 4.7.13, 4.7.20, 4.7.21, 4.7.22
All unaffected versions: 4.7.24, 4.7.25, 4.7.26, 4.7.27, 4.7.28, 4.7.29, 4.7.30, 4.7.31, 4.7.32, 4.7.33, 4.7.34, 4.7.35, 4.7.36, 4.7.37, 4.7.38, 4.7.39, 4.7.40, 4.7.41, 4.7.42, 4.7.43, 4.7.45, 4.7.46, 4.7.47, 4.7.50, 4.8.0, 4.8.8, 4.9.0, 4.9.1, 4.9.2, 4.9.3, 4.9.6, 4.9.7, 4.9.10, 4.10.0, 4.10.1, 4.10.3, 4.10.8