-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.wso2.carbon.mediation:org.wso2.carbon.localentry | maven | < 4.7.259 |
JavaJavaMiggo AIRoot Cause AnalysisThe analysis of the provided security patch (commit b995b2f1db96a4697791f0202cc8713f15640fd5) reveals a clear XXE vulnerability. The patch modifies the nonCoalescingStringToOm function within the org.wso2.carbon.localentry.service.LocalEntryAdmin class. Before the patch, the XMLInputFactory instance used to parse XML did not have properties set to disable external entities. An attacker could have supplied a malicious XML document to the service utilizing this function, which would then be parsed, allowing the resolution of external entities. This could lead to the disclosure of sensitive files from the server or a denial-of-service attack. The patch remediates this by explicitly setting XMLInputFactory.SUPPORT_DTD and XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES to false, thus preventing the XML parser from processing external entities and DTDs. Therefore, the nonCoalescingStringToOm function is identified as the vulnerable function.
org.wso2.carbon.localentry.service.LocalEntryAdmin.nonCoalescingStringToOmcomponents/mediation-admin/org.wso2.carbon.localentry/src/main/java/org/wso2/carbon/localentry/service/LocalEntryAdmin.java
Ongoing coverage of React2Shell