Details of VAR-202008-0546

ID

VAR-202008-0546

CVE

CVE-2020-24591

TITLE

plural WSO2 In the product DTD Vulnerability in improper restriction of recursive entity references in

Trust: 0.8

sources: JVNDB: JVNDB-2020-010364

DESCRIPTION

The Management Console in certain WSO2 products allows XXE attacks during EventReceiver updates. This affects API Manager through 3.0.0, API Manager Analytics 2.2.0 and 2.5.0, API Microgateway 2.2.0, Enterprise Integrator 6.2.0 and 6.3.0, and Identity Server Analytics through 5.6.0. plural WSO2 The product has DTD There is a vulnerability regarding improper restriction of recursive entity references in.Information is obtained and service operation is interrupted (DoS) It may be put into a state. The XXE vulnerability exists in the management interface in WSO2

Trust: 1.71

sources: NVD: CVE-2020-24591 // JVNDB: JVNDB-2020-010364 // VULHUB: VHN-178485

AFFECTED PRODUCTS

vendor:	wso2	model:	api manager analytics	scope:	eq	version:	2.2.0	Trust: 1.8
vendor:	wso2	model:	api manager analytics	scope:	eq	version:	2.5.0	Trust: 1.8
vendor:	wso2	model:	api microgateway	scope:	eq	version:	2.2.0	Trust: 1.8
vendor:	wso2	model:	enterprise integrator	scope:	eq	version:	6.2.0	Trust: 1.8
vendor:	wso2	model:	enterprise integrator	scope:	eq	version:	6.3.0	Trust: 1.8
vendor:	wso2	model:	identity server analytics	scope:	lte	version:	5.6.0	Trust: 1.0
vendor:	wso2	model:	api manager	scope:	lte	version:	3.0.0	Trust: 1.0
vendor:	wso2	model:	identity server analytics	scope:	eq	version:	5.6.0	Trust: 0.8
vendor:	wso2	model:	api manager	scope:	eq	version:	3.0.0	Trust: 0.8

sources: JVNDB: JVNDB-2020-010364 // NVD: CVE-2020-24591

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2020-24591
value:	MEDIUM
Trust: 1.0
cve@mitre.org:	CVE-2020-24591
value:	MEDIUM
Trust: 1.0
NVD:	JVNDB-2020-010364
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-202008-1084
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-178485
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2020-24591
severity:	MEDIUM
baseScore:	5.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.0
NVD:	JVNDB-2020-010364
severity:	MEDIUM
baseScore:	5.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	NONE
impactScore:	NONE
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.8
VULHUB:	VHN-178485
severity:	MEDIUM
baseScore:	5.5
vectorString:	AV:N/AC:L/AU:S/C:P/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	SINGLE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	8.0
impactScore:	4.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

nvd@nist.gov:	CVE-2020-24591
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	1.2
impactScore:	5.2
version:	3.1
Trust: 2.0
NVD:	JVNDB-2020-010364
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	HIGH
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	HIGH
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: VULHUB: VHN-178485 // JVNDB: JVNDB-2020-010364 // CNNVD: CNNVD-202008-1084 // NVD: CVE-2020-24591 // NVD: CVE-2020-24591

PROBLEMTYPE DATA

problemtype:	CWE-611	Trust: 1.1
problemtype:	CWE-776	Trust: 0.9

sources: VULHUB: VHN-178485 // JVNDB: JVNDB-2020-010364 // NVD: CVE-2020-24591

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-202008-1084

TYPE

code problem

Trust: 0.6

sources: CNNVD: CNNVD-202008-1084

CONFIGURATIONS

sources: JVNDB: JVNDB-2020-010364

PATCH

title:	WSO2-2020-0728	url:	https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2020-0728	Trust: 0.8
title:	WSO2 XXE Vulnerability fixes	url:	http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=126959	Trust: 0.6

sources: JVNDB: JVNDB-2020-010364 // CNNVD: CNNVD-202008-1084

EXTERNAL IDS

db:	NVD	id:	CVE-2020-24591	Trust: 2.5
db:	JVNDB	id:	JVNDB-2020-010364	Trust: 0.8
db:	CNNVD	id:	CNNVD-202008-1084	Trust: 0.7
db:	VULHUB	id:	VHN-178485	Trust: 0.1

sources: VULHUB: VHN-178485 // JVNDB: JVNDB-2020-010364 // CNNVD: CNNVD-202008-1084 // NVD: CVE-2020-24591

REFERENCES

url:	https://docs.wso2.com/display/security/security+advisory+wso2-2020-0728	Trust: 1.7
url:	https://nvd.nist.gov/vuln/detail/cve-2020-24591	Trust: 1.4
url:	https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2020-24591	Trust: 0.8

sources: VULHUB: VHN-178485 // JVNDB: JVNDB-2020-010364 // CNNVD: CNNVD-202008-1084 // NVD: CVE-2020-24591

SOURCES

db:	VULHUB	id:	VHN-178485
db:	JVNDB	id:	JVNDB-2020-010364
db:	CNNVD	id:	CNNVD-202008-1084
db:	NVD	id:	CVE-2020-24591

LAST UPDATE DATE

2024-11-23T21:59:07.508000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-178485	date:	2022-04-19T00:00:00
db:	JVNDB	id:	JVNDB-2020-010364	date:	2021-01-07T08:30:12
db:	CNNVD	id:	CNNVD-202008-1084	date:	2022-04-20T00:00:00
db:	NVD	id:	CVE-2020-24591	date:	2024-11-21T05:15:06.473

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-178485	date:	2020-08-21T00:00:00
db:	JVNDB	id:	JVNDB-2020-010364	date:	2021-01-07T08:30:12
db:	CNNVD	id:	CNNVD-202008-1084	date:	2020-08-21T00:00:00
db:	NVD	id:	CVE-2020-24591	date:	2020-08-21T20:15:11.093