{"id":"CVE-2021-42646","details":"XML External Entity (XXE) vulnerability in the file based service provider creation feature of the Management Console in WSO2 API Manager 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; and WSO2 IS as Key Manager 5.7.0, 5.9.0, and 5.10.0; and WSO2 Identity Server 5.7.0, 5.8.0, 5.9.0, 5.10.0, and 5.11.0. Allows attackers to gain read access to sensitive information or cause a denial of service via crafted GET requests.","modified":"2026-07-18T03:45:12.274464535Z","published":"2022-05-11T18:15:23.053Z","database_specific":{"unresolved_ranges":[{"extracted_events":[{"introduced":"5.7.0"},{"last_affected":"5.7.0"},{"introduced":"5.8.0"},{"last_affected":"5.8.0"},{"introduced":"5.9.0"},{"last_affected":"5.9.0"},{"introduced":"5.10.0"},{"last_affected":"5.10.0"},{"introduced":"5.11.0"},{"last_affected":"5.11.0"}],"source":"CPE_STRING","vendor_product":"wso2:identity_server","cpes":["cpe:2.3:a:wso2:identity_server:5.10.0:*:*:*:*:*:*:*","cpe:2.3:a:wso2:identity_server:5.11.0:*:*:*:*:*:*:*","cpe:2.3:a:wso2:identity_server:5.7.0:*:*:*:*:*:*:*","cpe:2.3:a:wso2:identity_server:5.8.0:*:*:*:*:*:*:*","cpe:2.3:a:wso2:identity_server:5.9.0:*:*:*:*:*:*:*"]},{"vendor_product":"wso2:identity_server_as_key_manager","cpes":["cpe:2.3:a:wso2:identity_server_as_key_manager:5.10.0:*:*:*:*:*:*:*","cpe:2.3:a:wso2:identity_server_as_key_manager:5.7.0:*:*:*:*:*:*:*","cpe:2.3:a:wso2:identity_server_as_key_manager:5.9.0:*:*:*:*:*:*:*"],"extracted_events":[{"introduced":"5.7.0"},{"last_affected":"5.7.0"},{"introduced":"5.9.0"},{"last_affected":"5.9.0"},{"introduced":"5.10.0"},{"last_affected":"5.10.0"}],"source":"CPE_STRING"}]},"references":[{"type":"ADVISORY","url":"http://packetstormsecurity.com/files/167465/WSO2-Management-Console-XML-Injection.html"},{"type":"ADVISORY","url":"http://seclists.org/fulldisclosure/2022/Jun/7"},{"type":"ADVISORY","url":"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2021-1289/"},{"type":"FIX","url":"https://github.com/wso2/carbon-identity-framework/pull/3472"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wso2/product-apim","events":[{"introduced":"a87463944acbc28f14c0af2a32dc30310147a0be"},{"last_affected":"cf00d9e6cb083f94abae11818794f62cd5c94079"}],"database_specific":{"source":"CPE_STRING","cpe":["cpe:2.3:a:wso2:api_manager:2.6.0:*:*:*:*:*:*:*","cpe:2.3:a:wso2:api_manager:3.0.0:*:*:*:*:*:*:*","cpe:2.3:a:wso2:api_manager:3.1.0:*:*:*:*:*:*:*","cpe:2.3:a:wso2:api_manager:3.2.0:*:*:*:*:*:*:*","cpe:2.3:a:wso2:api_manager:4.0.0:*:*:*:*:*:*:*"],"extracted_events":[{"introduced":"2.6.0"},{"last_affected":"2.6.0"},{"introduced":"3.0.0"},{"last_affected":"3.0.0"},{"introduced":"3.1.0"},{"last_affected":"3.1.0"},{"introduced":"3.2.0"},{"last_affected":"3.2.0"},{"introduced":"4.0.0"},{"last_affected":"4.0.0"}]}}],"versions":["2.6.0","3.0.0","3.1.0","3.2.0","4.0.0","v4.0.0-rc","v4.0.0","4.0.0-beta","v4.0.0-beta","v4.0.0-alpha","v4.0.0-m8","v4.0.0-m7","v4.0.0-m6","v4.0.0-m5","v4.0.0-m4","v4.0.0-m3","v4.0.0-m2","v4.0.0-m1","v3.2.0-rc6","v3.2.0","v3.2.0-rc5","v3.2.0-rc4","v3.2.0-rc3","v3.2.0-rc2","v3.2.0-rc1","v3.2.0-beta","v3.2.0-alpha","v3.2.0-m1","v3.1.0-rc3","v3.1.0","v3.0.0-rc3","v3.0.0","v3.1.0-rc2","v3.1.0-rc1","v3.1.0-beta","v3.1.0-alpha","v3.1.0-m5","v3.1.0-m4","v3.1.0-m3","v3.1.0-m2","v3.1.0-m1","v3.0.0-rc2","v3.0.0-rc1","v3.0.0-beta","v3.0.0-alpha2","v3.0.0-alpha","v3.0.0-m35","v3.0.0-m34","v3.0.0-m33","v3.0.0-m32","v2.6.0-rc3","v2.6.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-42646.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"}]}