CVE-2024-2374

HIGH

XML External Entity Injection in Multiple WSO2 Products Allows Arbitrary file read and Denial of Service

Title source: cna

Description

The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. This omission allows malicious actors to craft XML payloads that exploit the parser's behavior, leading to the inclusion of external resources. By leveraging this vulnerability, an attacker can read confidential files from the file system and access limited HTTP resources reachable by the product. Additionally, the vulnerability can be exploited to perform denial of service attacks by exhausting server resources through recursive entity expansion or fetching large external resources.

References (1)

[Vendor Advisory] https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3255/

Scores

CVSS v3 7.5

EPSS 0.0001

EPSS Percentile 3.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-611

Status published

Products (23)

wso2/api_manager 3.1.0 - 3.1.0.278

wso2/identity_server 5.10.0 - 5.10.0.300

wso2/identity_server_as_key_manager 5.10.0 - 5.10.0.296

wso2/open_banking_am 2.0.0 - 2.0.0.328

wso2/open_banking_iam 2.0.0 - 2.0.0.348

WSO2/WSO2 API Manager < 3.1.0

WSO2/WSO2 API Manager 3.1.0 - 3.1.0.278

WSO2/WSO2 API Manager 3.2.0 - 3.2.0.368

WSO2/WSO2 API Manager 4.0.0 - 4.0.0.280

WSO2/WSO2 API Manager 4.1.0 - 4.1.0.206

... and 13 more

Published Apr 16, 2026

Tracked Since Apr 16, 2026