CVE-2021-42646: 
WSO2 API Manager vulnerability analysis and mitigation

XML External Entity (XXE) vulnerability was discovered in the file based service provider creation feature of the Management Console in WSO2 API Manager (versions 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0), WSO2 IS as Key Manager (versions 5.7.0, 5.9.0, and 5.10.0), and WSO2 Identity Server (versions 5.7.0, 5.8.0, 5.9.0, 5.10.0, and 5.11.0). The vulnerability was discovered on February 14, 2021, and was publicly disclosed on May 11, 2022 (WSO2 Advisory).

The vulnerability is identified as CVE-2021-42646 with a CVSS v3.1 score of 9.1 CRITICAL. The issue allows attackers to gain read access to sensitive information or cause a denial of service via crafted GET requests through the Management Console's file-based service provider creation feature (NVD).

The vulnerability enables malicious actors to read confidential files from the file system or access limited HTTP resources that are reachable over HTTP GET requests to the vulnerable product. Additionally, the vulnerability could be exploited to perform denial of service attacks by exhausting server resources (WSO2 Advisory).

Users are advised to upgrade to the latest version of the affected WSO2 products if their version is listed as vulnerable. For community users, the fix is available through a public patch on GitHub. WSO2 Subscription holders should update their products to specific update levels detailed in the advisory. The fix involves creating a secure parser for unmarshalling Service Provider File Content (GitHub PR, WSO2 Advisory).