{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2024-8010", "assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "state": "PUBLISHED", "assignerShortName": "WSO2", "dateReserved": "2024-08-20T12:45:54.123Z", "datePublished": "2026-04-16T09:39:20.130Z", "dateUpdated": "2026-04-16T12:30:36.466Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "shortName": "WSO2", "dateUpdated": "2026-04-16T09:39:20.130Z"}, "title": "XML External Entity Injection via Publisher in WSO2 API Manager Allows Reading Arbitrary Files", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-611", "description": "CWE-611: Improper Restriction of XML External Entity Reference ('XXE')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-120", "descriptions": [{"lang": "en", "value": "CAPEC-120 CAPEC-120: XML External Entity (XXE) Injection"}]}], "affected": [{"vendor": "WSO2", "product": "WSO2 API Manager", "versions": [{"status": "unknown", "version": "0", "lessThan": "3.2.0", "versionType": "custom"}, {"status": "affected", "version": "3.2.0", "lessThan": "3.2.0.397", "versionType": "custom"}, {"status": "affected", "version": "3.2.1", "lessThan": "3.2.1.27", "versionType": "custom"}, {"status": "affected", "version": "4.0.0", "lessThan": "4.0.0.310", "versionType": "custom"}, {"status": "affected", "version": "4.0.0", "lessThan": "4.0.0.319", "versionType": "custom"}, {"status": "affected", "version": "4.1.0", "lessThan": "4.1.0.171", "versionType": "custom"}, {"status": "affected", "version": "4.2.0", "lessThan": "4.2.0.127", "versionType": "custom"}, {"status": "affected", "version": "4.3.0", "lessThan": "4.3.0.39", "versionType": "custom"}], "defaultStatus": "unaffected"}], "cpeApplicability": [{"operator": "OR", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2.0", "versionEndExcluding": "3.2.0.397"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*", "versionStartIncluding": "3.2.1", "versionEndExcluding": "3.2.1.27"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0.0", "versionEndExcluding": "4.0.0.310"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.0.0", "versionEndExcluding": "4.0.0.319"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.1.0", "versionEndExcluding": "4.1.0.171"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.2.0", "versionEndExcluding": "4.2.0.127"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.3.0", "versionEndExcluding": "4.3.0.39"}]}]}], "descriptions": [{"lang": "en", "value": "The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits the unescaped external entity references.\n\nBy leveraging this vulnerability, a malicious actor can read confidential files from the product's file system or access limited HTTP resources reachable via HTTP GET requests to the vulnerable product.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits the unescaped external entity references.\n\nBy leveraging this vulnerability, a malicious actor can read confidential files from the product's file system or access limited HTTP resources reachable via HTTP GET requests to the vulnerable product."}]}], "references": [{"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3581/", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "LOW", "baseScore": 3.5, "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}}], "solutions": [{"lang": "en", "value": "Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3581/#solution", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<span style=\"background-color: transparent;\">Follow the instructions given on </span><a target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3581/#solution\"><span style=\"background-color: transparent;\">https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3581/#solution</span></a> <br>"}]}], "source": {"advisory": "WSO2-2024-3581", "discovery": "INTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T12:19:58.639337Z", "id": "CVE-2024-8010", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T12:30:36.466Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-8010", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-16T12:19:58.639337Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T12:19:59.812Z"}}], "cna": {"title": "XML External Entity Injection via Publisher in WSO2 API Manager Allows Reading Arbitrary Files", "source": {"advisory": "WSO2-2024-3581", "discovery": "INTERNAL"}, "impacts": [{"capecId": "CAPEC-120", "descriptions": [{"lang": "en", "value": "CAPEC-120 CAPEC-120: XML External Entity (XXE) Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.5, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "WSO2", "product": "WSO2 API Manager", "versions": [{"status": "unknown", "version": "0", "lessThan": "3.2.0", "versionType": "custom"}, {"status": "affected", "version": "3.2.0", "lessThan": "3.2.0.397", "versionType": "custom"}, {"status": "affected", "version": "3.2.1", "lessThan": "3.2.1.27", "versionType": "custom"}, {"status": "affected", "version": "4.0.0", "lessThan": "4.0.0.310", "versionType": "custom"}, {"status": "affected", "version": "4.0.0", "lessThan": "4.0.0.319", "versionType": "custom"}, {"status": "affected", "version": "4.1.0", "lessThan": "4.1.0.171", "versionType": "custom"}, {"status": "affected", "version": "4.2.0", "lessThan": "4.2.0.127", "versionType": "custom"}, {"status": "affected", "version": "4.3.0", "lessThan": "4.3.0.39", "versionType": "custom"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3581/#solution", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: transparent;\">Follow the instructions given on </span><a target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3581/#solution\"><span style=\"background-color: transparent;\">https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3581/#solution</span></a> <br>", "base64": false}]}], "references": [{"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3581/", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits the unescaped external entity references.\n\nBy leveraging this vulnerability, a malicious actor can read confidential files from the product's file system or access limited HTTP resources reachable via HTTP GET requests to the vulnerable product.", "supportingMedia": [{"type": "text/html", "value": "The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits the unescaped external entity references.\n\nBy leveraging this vulnerability, a malicious actor can read confidential files from the product's file system or access limited HTTP resources reachable via HTTP GET requests to the vulnerable product.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-611", "description": "CWE-611: Improper Restriction of XML External Entity Reference ('XXE')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "3.2.0.397", "versionStartIncluding": "3.2.0"}, {"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "3.2.1.27", "versionStartIncluding": "3.2.1"}, {"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.0.0.310", "versionStartIncluding": "4.0.0"}, {"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.0.0.319", "versionStartIncluding": "4.0.0"}, {"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.1.0.171", "versionStartIncluding": "4.1.0"}, {"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.2.0.127", "versionStartIncluding": "4.2.0"}, {"criteria": "cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.3.0.39", "versionStartIncluding": "4.3.0"}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "shortName": "WSO2", "dateUpdated": "2026-04-16T09:39:20.130Z"}}}, "cveMetadata": {"cveId": "CVE-2024-8010", "state": "PUBLISHED", "dateUpdated": "2026-04-16T12:30:36.466Z", "dateReserved": "2024-08-20T12:45:54.123Z", "assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "datePublished": "2026-04-16T09:39:20.130Z", "assignerShortName": "WSO2"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "7EAFC85D-07D1-4121-A99E-F969A8DA6A9C", "versionEndExcluding": "3.2.0.397", "versionStartIncluding": "3.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "569FCD48-8AEB-49FC-958F-731595A35A53", "versionEndExcluding": "3.2.1.27", "versionStartIncluding": "3.2.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "CD58F5B9-9CA4-4268-A88C-C833D2F70095", "versionEndIncluding": "4.0.0.310", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "5F7CC5DD-5B34-4930-B958-2F28538F1682", "versionEndExcluding": "4.1.0.171", "versionStartIncluding": "4.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "6B2AD455-447A-4EEC-9010-3514D1A0BAE7", "versionEndExcluding": "4.2.0.127", "versionStartIncluding": "4.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "1D81B8C1-03A4-40A7-8C62-0EBB7D88E902", "versionEndExcluding": "4.3.0.39", "versionStartIncluding": "4.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits the unescaped external entity references.\n\nBy leveraging this vulnerability, a malicious actor can read confidential files from the product's file system or access limited HTTP resources reachable via HTTP GET requests to the vulnerable product."}], "id": "CVE-2024-8010", "lastModified": "2026-04-23T15:35:27.307", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 3.5, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 1.4, "source": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-16T10:16:14.050", "references": [{"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "tags": ["Vendor Advisory"], "url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3581/"}], "sourceIdentifier": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-611"}], "source": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[3.2.0,3.2.0.397)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[3.2.1,3.2.1.27)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[4.0.0,4.0.0.310)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[4.0.0,4.0.0.319)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[4.1.0,4.1.0.171)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[4.2.0,4.2.0.127)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[4.3.0,4.3.0.39)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "WSO2 API Manager", "source": "cna", "vendor": "WSO2"}, "product": "api_manager", "vendor": "wso2"}], "analysis": {"en": {"generated_at": "2026-04-17T03:26:45.675068+00:00", "value": {"mitigation_remediation": ["Apply the patch and configuration changes detailed by WSO2 on the advisory page linked above, which disable external entity resolution for the publisher input.", "If a patch cannot be applied immediately, configure the application to reject or sanitize XML submissions that contain external entity references, effectively denying the exploit channel from the publisher endpoint.", "Restrict network exposure of the publisher interface and enforce authentication to limit the attack surface, ensuring that only authorized users can submit XML payloads."], "summary": {"action": "Immediate Patch", "impact": "Confidentiality breach via arbitrary file read"}, "threat_synthesis": {"affected_systems": "The vulnerability affects WSO2 API Manager. Specific product versions are not listed in the advisory; administrators should consult the vendor\u2019s documentation to determine which releases are impacted and apply the recommended fix.", "description_and_impact": "A component in WSO2 API Manager accepts XML input on the publisher interface without disabling external entity resolution, enabling an attacker to craft XML that references external entities. When processed, the server resolves these entities, allowing the attacker to read any file accessible to the process and to make HTTP GET requests to local or remote resources. This leads to confidential data exposure and potential extraction of sensitive configuration files, thus violating the confidentiality of the system.", "risk_and_exploitability": "The CVSS score of 3.5 indicates a low severity, and no EPSS score is available, implying limited public exploitation data. The vulnerability is not listed in the CISA KEV catalog, further suggesting a low exploitation likelihood. Based on the description, the attack vector is inferred to be an external network request to the publisher endpoint carrying a malicious XML payload. The potential impact is limited to file read capabilities rather than full code execution or denial of service."}}}}, "created": "2026-04-16T12:30:05.967891+00:00", "updated": "2026-04-17T03:30:08.598807+00:00", "vendors": ["wso2", "wso2$PRODUCT$api_manager"]}