Details of VAR-202006-0508

ID

VAR-202006-0508

CVE

CVE-2020-13883

TITLE

plural WSO2 In the product XML External entity vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2020-006170

DESCRIPTION

In WSO2 API Manager 3.0.0 and earlier, WSO2 API Microgateway 2.2.0, and WSO2 IS as Key Manager 5.9.0 and earlier, Management Console allows XXE during addition or update of a Lifecycle. (DoS) It may be put into a state. WSO2 API Manager, etc. are all products of the American WSO2 company. WSO2 API Microgateway is a cloud-native and extensible API gateway product. WSO2 IS as Key Manager is a key manager. This vulnerability stems from improper design or implementation problems in the code development process of network systems or products

Trust: 1.71

sources: NVD: CVE-2020-13883 // JVNDB: JVNDB-2020-006170 // VULHUB: VHN-166706

AFFECTED PRODUCTS

vendor:	wso2	model:	api microgateway	scope:	eq	version:	2.2.0	Trust: 1.8
vendor:	wso2	model:	api manager	scope:	lte	version:	3.0.0	Trust: 1.0
vendor:	wso2	model:	identity server as key manager	scope:	lte	version:	5.9.0	Trust: 1.0
vendor:	wso2	model:	identity server as key manager	scope:	eq	version:	5.9.0	Trust: 0.8
vendor:	wso2	model:	api manager	scope:	eq	version:	3.0.0	Trust: 0.8

sources: JVNDB: JVNDB-2020-006170 // NVD: CVE-2020-13883

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-13883
value:	MEDIUM
Trust: 1.0
cve@mitre.org:	CVE-2020-13883
value:	MEDIUM
Trust: 1.0
NVD:	JVNDB-2020-006170
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202006-577
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-166706
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-13883
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2020-006170
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
VULHUB:	VHN-166706
severity:	MEDIUM
baseScore:	6.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-13883
baseSeverity:	MEDIUM
baseScore:	6.7
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	1.2
impactScore:	5.5
version:	3.1
Trust: 1.0
cve@mitre.org:	CVE-2020-13883
baseSeverity:	MEDIUM
baseScore:	5.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	1.2
impactScore:	4.2
version:	3.0
Trust: 1.0
NVD:	JVNDB-2020-006170
baseSeverity:	MEDIUM
baseScore:	6.7
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-166706 // JVNDB: JVNDB-2020-006170 // CNNVD: CNNVD-202006-577 // NVD: CVE-2020-13883 // NVD: CVE-2020-13883

PROBLEMTYPE DATA

problemtype:

CWE-611

Trust: 1.9

sources: VULHUB: VHN-166706 // JVNDB: JVNDB-2020-006170 // NVD: CVE-2020-13883

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202006-577

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202006-577

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-006170

PATCH

title:	WSO2-2020-0727	url:	https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0727	Trust: 0.8
title:	WSO2 API Manager and WSO2 API Microgateway , WSO2 IS as Key Manager Fixes for code issue vulnerabilities	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=120674	Trust: 0.6

sources: JVNDB: JVNDB-2020-006170 // CNNVD: CNNVD-202006-577

EXTERNAL IDS

db:	NVD	id:	CVE-2020-13883	Trust: 2.5
db:	JVNDB	id:	JVNDB-2020-006170	Trust: 0.8
db:	CNNVD	id:	CNNVD-202006-577	Trust: 0.7
db:	CNVD	id:	CNVD-2020-36737	Trust: 0.1
db:	VULHUB	id:	VHN-166706	Trust: 0.1

sources: VULHUB: VHN-166706 // JVNDB: JVNDB-2020-006170 // CNNVD: CNNVD-202006-577 // NVD: CVE-2020-13883

REFERENCES

url:	https://docs.wso2.com/display/security/security+advisory+wso2-2020-0727	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2020-13883	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-13883	Trust: 0.8

sources: VULHUB: VHN-166706 // JVNDB: JVNDB-2020-006170 // CNNVD: CNNVD-202006-577 // NVD: CVE-2020-13883

SOURCES

db:	VULHUB	id:	VHN-166706
db:	JVNDB	id:	JVNDB-2020-006170
db:	CNNVD	id:	CNNVD-202006-577
db:	NVD	id:	CVE-2020-13883

LAST UPDATE DATE

2024-11-23T22:25:26.536000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-166706	date:	2020-06-10T00:00:00
db:	JVNDB	id:	JVNDB-2020-006170	date:	2020-07-02T00:00:00
db:	CNNVD	id:	CNNVD-202006-577	date:	2020-06-11T00:00:00
db:	NVD	id:	CVE-2020-13883	date:	2024-11-21T05:02:04.300

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-166706	date:	2020-06-06T00:00:00
db:	JVNDB	id:	JVNDB-2020-006170	date:	2020-07-02T00:00:00
db:	CNNVD	id:	CNNVD-202006-577	date:	2020-06-06T00:00:00
db:	NVD	id:	CVE-2020-13883	date:	2020-06-06T19:15:09.690