WSO2 XML Parsers Vulnerable to External Entity Attacks

The National Vulnerability Database (NVD) recently highlighted CVE-2024-2374, a high-severity vulnerability impacting multiple WSO2 products. According to the NVD, the XML parsers within these products fail to adequately configure against external entity resolution when processing user-supplied XML data. This oversight creates a critical attack vector, allowing malicious actors to craft XML payloads that force the parser to include external resources.

This flaw, categorized as CWE-611 (Improper Restriction of XML External Entity Reference), enables attackers to achieve significant unauthorized access. Leveraging this vulnerability, an attacker can read sensitive files from the underlying file system or access limited HTTP resources that the product itself can reach. Beyond data exfiltration, the NVD notes that this vulnerability can also be exploited to launch denial-of-service (DoS) attacks by exhausting server resources through recursive entity expansion or by fetching excessively large external resources, effectively taking systems offline. The CVSSv3.1 score for CVE-2024-2374 is 7.5 (HIGH), underscoring the serious implications of this unpatched issue. While specific affected product versions weren’t detailed, any WSO2 deployment utilizing XML parsing without proper hardening against XXE is potentially at risk.