CVE-2024-2374

XML External Entity Injection in Multiple WSO2 Products Allows Arbitrary file read and Denial of Service

Assigner: WSO2
Reserved: 11.03.2024 Published: 16.04.2026 Updated: 16.04.2026

The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. This omission allows malicious actors to craft XML payloads that exploit the parser's behavior, leading to the inclusion of external resources.

By leveraging this vulnerability, an attacker can read confidential files from the file system and access limited HTTP resources reachable by the product. Additionally, the vulnerability can be exploited to perform denial of service attacks by exhausting server resources through recursive entity expansion or fetching large external resources.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVSS Score: 7.5

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	None
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	WSO2
Product	WSO2 API Manager
Versions	Default: unaffected unknown from 0 to 3.1.0 (excl.) affected from 3.1.0 to 3.1.0.278 (excl.) affected from 3.2.0 to 3.2.0.368 (excl.) affected from 4.0.0 to 4.0.0.280 (excl.) affected from 4.1.0 to 4.1.0.206 (excl.) affected from 4.2.0 to 4.2.0.144 (excl.) affected from 4.3.0 to 4.3.0.57 (excl.)

Vendor

WSO2

Product

WSO2 API Manager

Versions

Default: unaffected

unknown from 0 to 3.1.0 (excl.)
affected from 3.1.0 to 3.1.0.278 (excl.)
affected from 3.2.0 to 3.2.0.368 (excl.)
affected from 4.0.0 to 4.0.0.280 (excl.)
affected from 4.1.0 to 4.1.0.206 (excl.)
affected from 4.2.0 to 4.2.0.144 (excl.)
affected from 4.3.0 to 4.3.0.57 (excl.)

Vendor	WSO2
Product	WSO2 Identity Server
Versions	Default: unaffected unknown from 0 to 5.10.0 (excl.) affected from 5.10.0 to 5.10.0.300 (excl.) affected from 5.11.0 to 5.11.0.329 (excl.) affected from 6.0.0 to 6.0.0.179 (excl.) affected from 6.1.0 to 6.1.0.136 (excl.)

Vendor

WSO2

Product

WSO2 Identity Server

Versions

Default: unaffected

unknown from 0 to 5.10.0 (excl.)
affected from 5.10.0 to 5.10.0.300 (excl.)
affected from 5.11.0 to 5.11.0.329 (excl.)
affected from 6.0.0 to 6.0.0.179 (excl.)
affected from 6.1.0 to 6.1.0.136 (excl.)

Vendor	WSO2
Product	WSO2 Open Banking AM
Versions	Default: unaffected unknown from 0 to 2.0.0 (excl.) affected from 2.0.0 to 2.0.0.328 (excl.)

Vendor

WSO2

Product

WSO2 Open Banking AM

Versions

Default: unaffected

unknown from 0 to 2.0.0 (excl.)
affected from 2.0.0 to 2.0.0.328 (excl.)

Vendor	WSO2
Product	WSO2 Open Banking IAM
Versions	Default: unaffected unknown from 0 to 2.0.0 (excl.) affected from 2.0.0 to 2.0.0.348 (excl.)

Vendor

WSO2

Product

WSO2 Open Banking IAM

Versions

Default: unaffected

unknown from 0 to 2.0.0 (excl.)
affected from 2.0.0 to 2.0.0.348 (excl.)

Vendor	WSO2
Product	WSO2 Identity Server as Key Manager
Versions	Default: unaffected unknown from 0 to 5.10.0 (excl.) affected from 5.10.0 to 5.10.0.296 (excl.)

Vendor

WSO2

Product

WSO2 Identity Server as Key Manager

Versions

Default: unaffected

unknown from 0 to 5.10.0 (excl.)
affected from 5.10.0 to 5.10.0.296 (excl.)

Solutions

Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3255/#solution

References

Problem Types

CWE-611: Improper Restriction of XML External Entity Reference ('XXE') CWE

Impacts

CAPEC-113 CAPEC-113: XML External Entity Expansion
CAPEC-602 CAPEC-602: XML Entity Injection

CVE-2024-2374 PUBLISHED

XML External Entity Injection in Multiple WSO2 Products Allows Arbitrary file read and Denial of Service

Metrics

Product Status

Solutions

References

Problem Types

Impacts