lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 6 Jun 2022 17:37:11 +0300 From: Hakan Bayır ( Biznet Bilişim ) <hakan.bayir@...net.com.tr> To: bugtraq@...urityfocus.com, fulldisclosure@...lists.org Subject: [FD] XML External Entity (XXE) vulnerability in the WSO2 Management Console XML External Entity (XXE) vulnerability in the WSO2 Management Console I. VULNERABILITY ------------------------- XML External Entity (XXE) II. CVE REFERENCE ------------------------- CVE-2021-42646 III. VENDOR ------------------------- https://wso2.com/ IV. TIMELINE ------------------------- 14/02/2021 Vulnerability discovered 14/02/2021 Vendor contacted 01/07/2021 WSO2 replay that they fixed V. CREDIT ------------------------- Hakan Bayir at Cyberwise. VI. DESCRIPTION ------------------------- An XML External Entity vulnerability was identified in the file based service provider creation feature of the Management Console. https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2021-1289 VII. Remediation ------------------------- If the latest version of the affected WSO2 product is not mentioned under the affected product list, you may migrate to the latest version to receive security fixes. Otherwise you may apply the relevant fixes to the product based on the public fix: https://github.com/wso2/carbon-identity-framework/pull/3472 -- Hakan Bayır Güvenlik Testleri Uzmanı M : +90 506 728 71 47 www.biznet.com.tr Biznet Bilişim A.Ş. Üniversiteler Mah. İhsan Doğramacı Blv.. Teknokent İkizler Binası No:35 B Blok Kat:1 06800 ODTÜ | ANKARA <https://www.facebook.com/biznetbs/> <https://twitter.com/biznetbilisim> <https://tr.linkedin.com/company/biznet-bilisim> -- Bu mesaj ve ekleri, mesajda gönderildiği belirtilen kişi/kişilere özeldir ve gizlidir. Bu mesaj herhangi bir amaç için çoğaltılamaz, dağıtılamaz ve yayınlanamaz. Mesajın gönderildiği kişi değilseniz, mesaj içeriğini ya da eklerini kopyalamayınız, yayınlamayınız ya da başka kişilere yönlendirmeyiniz ve mesajı gönderen kişiyi derhal uyararak bu mesajı siliniz. Şirketimiz, mesajın içeriğinin ve eklerinin size değişikliğe uğrayarak veya geç ulaşmasından; gizliliğinin korunmamasından; virüs içermesinden ve bilgisayar sisteminize verebileceği herhangi bir zarardan sorumlu değildir This message and its attachments are confidential and intended solely for the recipient(s) stated therein. This message cannot be copied, distributed or published for any purpose. If you are not the intended recipient, please do not copy, publish or forward the information existing in the content and attachments of this message. In such case please notify the sender immediately and delete all the copies of the message. Our company shall have no liability for any changes in or late receiving of the message, loss of integrity and confidentiality, viruses and any damages caused in anyway to your computer system based on this message. *P Lütfen gerekmiyorsa bu postayı basmayın. Please consider the environment - do you really need to print this email ?* _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists