CVE-2024-8010
XML External Entity Injection in Publisher Component Enables Data Exposure
Publication date: 2026-04-16
Last updated on: 2026-04-23
Assigner: WSO2 LLC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wso2 | api_manager | From 3.2.0 (inc) to 3.2.0.397 (exc) |
| wso2 | api_manager | From 3.2.1 (inc) to 3.2.1.27 (exc) |
| wso2 | api_manager | From 4.0.0 (inc) to 4.0.0.310 (inc) |
| wso2 | api_manager | From 4.1.0 (inc) to 4.1.0.171 (exc) |
| wso2 | api_manager | From 4.2.0 (inc) to 4.2.0.127 (exc) |
| wso2 | api_manager | From 4.3.0 (inc) to 4.3.0.39 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-611 | The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs because the component accepts XML input through the publisher without disabling external entity resolution. This means that an attacker can submit a specially crafted XML payload that includes external entity references which are not properly escaped or blocked.
By exploiting this, the attacker can cause the system to process these external entities, potentially allowing them to read confidential files from the product's file system or access restricted HTTP resources via HTTP GET requests.
How can this vulnerability impact me? :
The impact of this vulnerability is that a malicious actor could gain unauthorized access to sensitive information stored on the system by reading confidential files.
Additionally, the attacker could access limited HTTP resources that should not be reachable, potentially exposing further sensitive data or internal services.
The CVSS score indicates a low to medium severity with limited impact on confidentiality and no impact on integrity or availability, but it still represents a risk of information disclosure.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows a malicious actor to read confidential files from the product's file system or access limited HTTP resources. Such unauthorized access to confidential information can lead to violations of data protection regulations like GDPR and HIPAA, which require strict controls to protect sensitive data from unauthorized disclosure.
By exploiting this vulnerability, the confidentiality of sensitive data may be compromised, potentially resulting in non-compliance with standards that mandate data privacy and security.