Moderate severityNVD Advisory· Published Dec 15, 2023· Updated Aug 2, 2024
CVE-2023-6836
CVE-2023-6836
Description
Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely used feature of XML parsers to access sensitive information.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.wso2.carbon.commons:org.wso2.carbon.ntask.coreMaven | < 4.7.24 | 4.7.24 |
org.wso2.am:wso2amMaven | < 4.0.0-beta | 4.0.0-beta |
org.wso2.carbon.registry:org.wso2.carbon.registry.extensionsMaven | < 4.7.31 | 4.7.31 |
org.wso2.carbon.event-processing:org.wso2.carbon.event.processor.coreMaven | < 2.2.12 | 2.2.12 |
org.wso2.carbon.analytics-common:org.wso2.carbon.event.input.adapter.coreMaven | < 5.2.23 | 5.2.23 |
org.wso2.carbon.governance:org.wso2.carbon.governance.commonMaven | < 4.8.13 | 4.8.13 |
Affected products
13- ghsa-coords6 versionspkg:maven/org.wso2.am/wso2ampkg:maven/org.wso2.carbon.analytics-common/org.wso2.carbon.event.input.adapter.corepkg:maven/org.wso2.carbon.commons/org.wso2.carbon.ntask.corepkg:maven/org.wso2.carbon.event-processing/org.wso2.carbon.event.processor.corepkg:maven/org.wso2.carbon.governance/org.wso2.carbon.governance.commonpkg:maven/org.wso2.carbon.registry/org.wso2.carbon.registry.extensions
< 4.0.0-beta+ 5 more
- (no CPE)range: < 4.0.0-beta
- (no CPE)range: < 5.2.23
- (no CPE)range: < 4.7.24
- (no CPE)range: < 2.2.12
- (no CPE)range: < 4.8.13
- (no CPE)range: < 4.7.31
- WSO2/WSO2 API Managerv5Range: 3.0.0.0
- WSO2/WSO2 API Manager Analyticsv5Range: 2.2.0.0
- WSO2/WSO2 API Microgatewayv5Range: 2.2.0.0
- WSO2/WSO2 Enterprise Integratorv5Range: 6.0.0.0
- WSO2/WSO2 Identity Serverv5Range: 5.4.0.0
- WSO2/WSO2 IS as Key Managerv5Range: 5.5.0.0
- WSO2/WSO2 Micro Integratorv5Range: 1.0.0.0
Patches
Vulnerability mechanics
References
10- github.com/advisories/GHSA-cr8h-fr86-8vfvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-6836ghsaADVISORY
- security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-0716/mitrevendor-advisory
- github.com/wso2/carbon-analytics-common/commit/9478336859306d3ea13b25cb386f29c183707fdeghsaWEB
- github.com/wso2/carbon-commons/commit/a08a587e3dd5146121a7b47a0fdd06ddbcd903f4ghsaWEB
- github.com/wso2/carbon-event-processing/commit/e9953afd46a45f704de341a081f710cbdfa3f975ghsaWEB
- github.com/wso2/carbon-governance/commit/ad36968d5a11d4fc35fa5cc4e8b5ae9a04e5bb4cghsaWEB
- github.com/wso2/carbon-registry/commit/738b2a0b3e5f118527da236467ed72d9fd9ce40eghsaWEB
- github.com/wso2/product-apim/commit/96e8f5d6566d57bbbb8d4257f6f55057a79d00b5ghsaWEB
- security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-0716ghsaWEB
News mentions
0No linked articles in our index yet.