Sign-up

ID

VAR-202008-0544


CVE

CVE-2020-24589


TITLE

WSO2 API Manager and API Microgateway In DTD Vulnerability in improper restriction of recursive entity references in

Trust: 0.8

sources: JVNDB: JVNDB-2020-010362

DESCRIPTION

The Management Console in WSO2 API Manager through 3.1.0 and API Microgateway 2.2.0 allows XML External Entity injection (XXE) attacks. WSO2 API Manager and API Microgateway To DTD There is a vulnerability regarding improper restriction of recursive entity references in.Information is obtained and service operation is interrupted (DoS) It may be put into a state. The following products and versions are affected: WSO2 API Manager from version 3.1.0 and API Microgateway version 2.2.0

Trust: 1.8

sources: NVD: CVE-2020-24589 // JVNDB: JVNDB-2020-010362 // VULHUB: VHN-178482 // VULMON: CVE-2020-24589

AFFECTED PRODUCTS

vendor:wso2model:api microgatewayscope:eqversion:2.2.0

Trust: 1.8

vendor:wso2model:api managerscope:lteversion:3.1.0

Trust: 1.0

vendor:wso2model:api managerscope:eqversion:3.1.0

Trust: 0.8

sources: JVNDB: JVNDB-2020-010362 // NVD: CVE-2020-24589

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2020-24589
value: CRITICAL

Trust: 1.0

cve@mitre.org: CVE-2020-24589
value: CRITICAL

Trust: 1.0

NVD: JVNDB-2020-010362
value: CRITICAL

Trust: 0.8

CNNVD: CNNVD-202008-1088
value: CRITICAL

Trust: 0.6

VULHUB: VHN-178482
value: MEDIUM

Trust: 0.1

VULMON: CVE-2020-24589
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2020-24589
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.1

NVD: JVNDB-2020-010362
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: NONE
impactScore: NONE
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.8

VULHUB: VHN-178482
severity: MEDIUM
baseScore: 6.4
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2020-24589
baseSeverity: CRITICAL
baseScore: 9.1
vectorString: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: 3.9
impactScore: 5.2
version: 3.1

Trust: 2.0

NVD: JVNDB-2020-010362
baseSeverity: CRITICAL
baseScore: 9.1
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: HIGH
exploitabilityScore: NONE
impactScore: NONE
version: 3.0

Trust: 0.8

sources: VULHUB: VHN-178482 // VULMON: CVE-2020-24589 // JVNDB: JVNDB-2020-010362 // CNNVD: CNNVD-202008-1088 // NVD: CVE-2020-24589 // NVD: CVE-2020-24589

PROBLEMTYPE DATA

problemtype:CWE-611

Trust: 1.1

problemtype:CWE-776

Trust: 0.9

sources: VULHUB: VHN-178482 // JVNDB: JVNDB-2020-010362 // NVD: CVE-2020-24589

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202008-1088

TYPE

other

Trust: 0.6

sources: CNNVD: CNNVD-202008-1088

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2020-010362

PATCH
title:WSO2-2020-0742url:https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0742
Trust: 0.8
title:WSO2 CVE Extractorurl:https://github.com/athiththan11/WSO2-CVE-Extractor 
Trust: 0.1
title:Kenzer Templates [5170] [DEPRECATED]url:https://github.com/ARPSyndicate/kenzer-templates 
Trust: 0.1
sources:
            
            
            VULMON: CVE-2020-24589 // 
            
            
            
            JVNDB: JVNDB-2020-010362

EXTERNAL IDS
db:NVDid:CVE-2020-24589
Trust: 2.6
db:JVNDBid:JVNDB-2020-010362
Trust: 0.8
db:CNNVDid:CNNVD-202008-1088
Trust: 0.7
db:VULHUBid:VHN-178482
Trust: 0.1
db:VULMONid:CVE-2020-24589
Trust: 0.1
sources:
            
            
            VULHUB: VHN-178482 // 
            
            
            
            VULMON: CVE-2020-24589 // 
            
            
            
            JVNDB: JVNDB-2020-010362 // 
            
            
            
            CNNVD: CNNVD-202008-1088 // 
            
            
            
            NVD: CVE-2020-24589

REFERENCES
url:https://docs.wso2.com/display/security/security+advisory+wso2-2020-0742
Trust: 1.8
url:https://nvd.nist.gov/vuln/detail/cve-2020-24589
Trust: 1.4
url:https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-24589
Trust: 0.8
url:https://cwe.mitre.org/data/definitions/611.html
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
url:https://github.com/athiththan11/wso2-cve-extractor
Trust: 0.1
sources:
            
            
            VULHUB: VHN-178482 // 
            
            
            
            VULMON: CVE-2020-24589 // 
            
            
            
            JVNDB: JVNDB-2020-010362 // 
            
            
            
            CNNVD: CNNVD-202008-1088 // 
            
            
            
            NVD: CVE-2020-24589

SOURCES
db:VULHUBid:VHN-178482
db:VULMONid:CVE-2020-24589
db:JVNDBid:JVNDB-2020-010362
db:CNNVDid:CNNVD-202008-1088
db:NVDid:CVE-2020-24589

LAST UPDATE DATE
2024-11-23T22:16:21.112000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-178482date:2021-07-21T00:00:00
db:VULMONid:CVE-2020-24589date:2021-07-21T00:00:00
db:JVNDBid:JVNDB-2020-010362date:2021-01-07T08:30:08
db:CNNVDid:CNNVD-202008-1088date:2020-08-28T00:00:00
db:NVDid:CVE-2020-24589date:2024-11-21T05:15:06.123

SOURCES RELEASE DATE
db:VULHUBid:VHN-178482date:2020-08-21T00:00:00
db:VULMONid:CVE-2020-24589date:2020-08-21T00:00:00
db:JVNDBid:JVNDB-2020-010362date:2021-01-07T08:30:08
db:CNNVDid:CNNVD-202008-1088date:2020-08-21T00:00:00
db:NVDid:CVE-2020-24589date:2020-08-21T20:15:10.967