CVE-2023-6836: 
Java vulnerability analysis and mitigation

Multiple WSO2 products have been identified as vulnerable to an XML External Entity (XXE) attack vulnerability (CVE-2023-6836). The vulnerability was discovered and disclosed on December 15, 2023. Affected products include WSO2 API Manager 3.0.0 or earlier, WSO2 API Manager Analytics (versions 2.2.0, 2.5.0), WSO2 API Microgateway 2.2.0, WSO2 Enterprise Integrator 6.6.0 or earlier, WSO2 IS as Key Manager (versions 5.0.0, 5.6.0, 5.7.0, 5.9.0), WSO2 Identity Server (versions 5.4.0, 5.4.1, 5.5.0, 5.6.0), and WSO2 Micro Integrator 1.0.0 (WSO2 Advisory).

The vulnerability exploits XML parsers by abusing a widely available but rarely used feature to access sensitive information. The CVSS v3.1 base score is 7.5 HIGH (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) according to NVD assessment, while WSO2 LLC rates it as 4.6 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N) (NVD).

When external entity references are enabled, if an attacker can submit controlled XML to the parser, they could potentially gain unauthorized access to information about internal networks, local filesystem, or other sensitive data (WSO2 Advisory).

Users are advised to either migrate to the latest version of the affected WSO2 products if not listed in the affected versions, or apply the relevant fixes available in public repositories. WSO2 customers with support subscriptions should use WSO2 Updates to apply the fix. Public fixes are available through multiple GitHub pull requests (WSO2 Advisory).