Login Sign Up

CVE-2021-42646

9.1 CRITICAL
Denial of Service XXE

📋 TL;DR

This CVE describes an XML External Entity (XXE) vulnerability in WSO2 API Manager and Identity Server management consoles. Attackers can exploit it via crafted GET requests to read sensitive files from the server or cause denial of service. Organizations running affected versions of WSO2 products with internet-facing management consoles are at risk.

💻 Affected Systems

Products:
  • WSO2 API Manager
  • WSO2 IS as Key Manager
  • WSO2 Identity Server
Versions: WSO2 API Manager: 2.6.0, 3.0.0, 3.1.0, 3.2.0, 4.0.0; WSO2 IS as Key Manager: 5.7.0, 5.9.0, 5.10.0; WSO2 Identity Server: 5.7.0, 5.8.0, 5.9.0, 5.10.0, 5.11.0
Operating Systems: All platforms running affected WSO2 versions
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in the file-based service provider creation feature of the Management Console. All default installations with this feature enabled are vulnerable.

📦 What is this software?

Api Manager by Wso2

View all CVEs affecting Api Manager →

Api Manager by Wso2

View all CVEs affecting Api Manager →

Api Manager by Wso2

View all CVEs affecting Api Manager →

Api Manager by Wso2

View all CVEs affecting Api Manager →

Api Manager by Wso2

View all CVEs affecting Api Manager →

Identity Server by Wso2

View all CVEs affecting Identity Server →

Identity Server by Wso2

View all CVEs affecting Identity Server →

Identity Server by Wso2

View all CVEs affecting Identity Server →

Identity Server by Wso2

View all CVEs affecting Identity Server →

Identity Server by Wso2

View all CVEs affecting Identity Server →

Identity Server As Key Manager by Wso2

View all CVEs affecting Identity Server As Key Manager →

Identity Server As Key Manager by Wso2

View all CVEs affecting Identity Server As Key Manager →

Identity Server As Key Manager by Wso2

View all CVEs affecting Identity Server As Key Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise through sensitive file disclosure (including configuration files, credentials, private keys), leading to data breach and potential lateral movement within the network.

🟠

Likely Case

Unauthorized reading of sensitive server files containing configuration data, credentials, or system information that could enable further attacks.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent external access to management interfaces.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires access to the management console interface. Public proof-of-concept code exists demonstrating file disclosure via XXE injection.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply security patches from WSO2 security advisory WSO2-2021-1289

Vendor Advisory: https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2021-1289/

Restart Required: Yes

Instructions:

1. Review WSO2 security advisory WSO2-2021-1289. 2. Apply the provided security patches. 3. Restart affected WSO2 services. 4. Verify the fix by testing the vulnerable endpoint.

🔧 Temporary Workarounds

Disable XXE Processing

all

Configure XML parsers to disable external entity processing

Modify XML parser configuration to set: feature("http://apache.org/xml/features/disallow-doctype-decl", true);
Set: feature("http://xml.org/sax/features/external-general-entities", false);
Set: feature("http://xml.org/sax/features/external-parameter-entities", false);

Restrict Management Console Access

all

Limit access to management console to trusted IP addresses only

Configure firewall rules to restrict access to management console ports (typically 9443)
Use network security groups or iptables to allow only specific source IPs

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate WSO2 management interfaces from untrusted networks
  • Deploy a web application firewall (WAF) with XXE protection rules in front of the management console

🔍 How to Verify

Check if Vulnerable:

Test the management console endpoint with XXE payloads targeting the file-based service provider creation feature. Monitor for successful file disclosure.

Check Version:

Check WSO2 product version in management console dashboard or review product distribution files

Verify Fix Applied:

Attempt the same XXE exploitation after patching. Successful fix should return error messages or block the XXE payload instead of disclosing file contents.

📡 Detection & Monitoring

Log Indicators:

  • Unusual XML parsing errors in WSO2 logs
  • Multiple failed authentication attempts to management console followed by XML payload requests
  • GET requests containing XML entities like &xxe; or file:/// paths

Network Indicators:

  • HTTP requests to management console endpoints with XML content in parameters
  • Unusual outbound connections from WSO2 server following XXE exploitation

SIEM Query:

source="wso2-carbon.log" AND ("XML" OR "DOCTYPE" OR "ENTITY") AND ("error" OR "exception")

📊 Metadata

CVE ID: CVE-2021-42646
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
CWE: CWE-611
Published: May 11, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-42646, you might also want to check these:

CVE-2022-22486 10.0

This CVE describes an XML External Entity (XXE) vulnerability in IBM Tivoli Workload Scheduler that ...

Same vulnerability type (CWE-611)
CVE-2025-30220 9.9

This XXE vulnerability in GeoServer's GeoTools Schema class allows attackers to read arbitrary files...

Same vulnerability type (CWE-611)
CVE-2023-27874 9.9

IBM Aspera Faspex 4.4.2 contains an XML external entity injection (XXE) vulnerability that allows au...

Same vulnerability type (CWE-611)