CVE-2024-2374

HIGH

7.5

Description

The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. This omission allows malicious actors to craft XML payloads that exploit the parser's behavior, leading to the inclusion of external resources. By leveraging this vulnerability, an attacker can read confidential files from the file system and access limited HTTP resources reachable by the product. Additionally, the vulnerability can be exploited to perform denial of service attacks by exhausting server resources through recursive entity expansion or fetching large external resources.

Details CVE

Score CVSS v3.17.5

SeveriteHIGH

Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Vecteur d'attaqueNETWORK

ComplexiteLOW

Privileges requisNONE

Interaction utilisateurNONE

Publie4/16/2026

Derniere modification4/17/2026

Sourcenvd

Observations honeypot0

Faiblesses (CWE)

CWE-611

References

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3255/(ed10eef1-636d-4fbe-9993-6890dfa878f8)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.