{"id":"CVE-2023-6836","details":"Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely used feature of XML parsers to access sensitive information.","aliases":["GHSA-cr8h-fr86-8vfv"],"modified":"2026-05-28T04:09:46.070856096Z","published":"2023-12-15T10:15:09.407Z","database_specific":{"unresolved_ranges":[{"cpes":["cpe:2.3:a:wso2:api_microgateway:2.2.0:*:*:*:*:*:*:*"],"source":"CPE_STRING","vendor_product":"wso2:api_microgateway","extracted_events":[{"last_affected":"2.2.0"}]},{"cpes":["cpe:2.3:a:wso2:identity_server:5.4.0:*:*:*:*:*:*:*","cpe:2.3:a:wso2:identity_server:5.4.1:*:*:*:*:*:*:*","cpe:2.3:a:wso2:identity_server:5.5.0:*:*:*:*:*:*:*","cpe:2.3:a:wso2:identity_server:5.6.0:*:*:*:*:*:*:*"],"source":"CPE_STRING","vendor_product":"wso2:identity_server","extracted_events":[{"last_affected":"5.4.0"},{"last_affected":"5.4.1"},{"last_affected":"5.5.0"},{"last_affected":"5.6.0"}]},{"cpes":["cpe:2.3:a:wso2:identity_server_as_key_manager:5.0.0:*:*:*:*:*:*:*","cpe:2.3:a:wso2:identity_server_as_key_manager:5.6.0:*:*:*:*:*:*:*","cpe:2.3:a:wso2:identity_server_as_key_manager:5.7.0:*:*:*:*:*:*:*","cpe:2.3:a:wso2:identity_server_as_key_manager:5.9.0:*:*:*:*:*:*:*"],"source":"CPE_STRING","vendor_product":"wso2:identity_server_as_key_manager","extracted_events":[{"last_affected":"5.0.0"},{"last_affected":"5.6.0"},{"last_affected":"5.7.0"},{"last_affected":"5.9.0"}]},{"cpes":["cpe:2.3:a:wso2:micro_integrator:1.0.0:*:*:*:*:*:*:*"],"source":"CPE_STRING","extracted_events":[{"last_affected":"1.0.0"}],"vendor_product":"wso2:micro_integrator"}]},"references":[{"type":"ADVISORY","url":"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-0716/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wso2/analytics-apim","events":[{"introduced":"0"},{"last_affected":"5473541ec4434aeb0a2a1f583d672e1d1748240a"},{"last_affected":"78105a9da92efdcfceaca4c011a7960ebd3df0e3"}],"database_specific":{"cpe":["cpe:2.3:a:wso2:api_manager_analytics:2.2.0:*:*:*:*:*:*:*","cpe:2.3:a:wso2:api_manager_analytics:2.5.0:*:*:*:*:*:*:*"],"source":"CPE_STRING","extracted_events":[{"introduced":"0"},{"last_affected":"2.2.0"},{"last_affected":"2.5.0"}]}}],"versions":["v2.5.0-rc1","v2.5.0","v2.5.0.Beta","v2.5.0-Alpha","v2.2.0-update2","v2.2.0-update1","v2.2.0","v2.2.0-rc3","v2.2.0-rc2","v2.2.0-rc","v2.1.0-update9","v2.1.0-update8","v2.1.0-update7","v2.1.0-update6","v2.1.0-update5","v2.1.0-update4","v2.1.0-update3","v2.1.0-update2","v2.1.0-alpha","v1.0.0-m2","v1.0.0-m1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-6836.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/wso2/product-apim","events":[{"introduced":"0"},{"last_affected":"727d091683c8199c37f2d19ab3198abee6553904"}],"database_specific":{"cpe":"cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*","source":"CPE_RANGE","extracted_events":[{"introduced":"0"},{"last_affected":"3.0.0"}]}}],"versions":["v3.0.0-rc3","v3.0.0","v3.0.0-rc2","v3.0.0-rc1","v3.0.0-beta","v3.0.0-alpha2","v3.0.0-alpha","v3.0.0-m35","v3.0.0-m34","v3.0.0-m33","v3.0.0-m32","v2.6.0-rc3","v2.6.0","v2.6.0-rc2","v2.6.0-rc1","v2.6.0-beta2","v2.6.0-beta","v2.6.0-alpha2","v2.6.0-alpha","v2.6.0-m2","v2.6.0-m1","v2.5.0-rc4","v2.5.0","v2.5.0-rc3","v2.5.0-rc2","v2.5.0-rc1","v2.5.0-Beta","v2.5.0-Alpha","v2.2.0-update7","v2.2.0-update6","v2.2.0-update5","v2.2.0-update4","v2.2.0-update3","v2.2.0-update2","v2.2.0-update1","v2.2.0","v2.1.0-update14","v2.1.0-update13","v2.1.0-update12","v2.1.0-update11","v2.1.0-update10","v2.1.0-update9","v2.1.0-update8","v2.1.0-update7","v2.1.0-update5","v2.1.0-update3","v2.1.0-update2","v2.1.0-update1","v2.1.0-alpha","v2.0.0-ALPHA","v2.0.0-M4","v1.9.0","v1.9.0-Beta-3","v1.9.0-Beta-2","v1.9.0-Beta","v1.9.0-Alpha","test-tag-1.9.0-Alpha","v1.9.0-M2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-6836.json"}},{"ranges":[{"type":"GIT","repo":"https://github.com/wso2/product-ei","events":[{"introduced":"0"},{"last_affected":"bfdf341ab6dcfccce35c88b8a1567604f07ba8f5"}],"database_specific":{"cpe":"cpe:2.3:a:wso2:enterprise_integrator:*:*:*:*:*:*:*:*","source":"CPE_RANGE","extracted_events":[{"introduced":"0"},{"last_affected":"6.6.0"}]}}],"versions":["v6.6.0-rc3","v6.6.0","v6.6.0-rc2","v6.6.0-rc1","v6.6.0-beta","v6.5.0-rc1","v6.5.0","v6.5.0-m6","v6.5.0-m4","v6.5.0-m3","v6.5.0-m2","v6.5.0-m1","v6.4.0-rc1","v6.4.0","v6.4.0-m8","v6.4.0-m7","v6.4.0-m6","v6.4.0-m5","v6.4.0-m4","v6.4.0-m3","v6.4.0-m2","v6.4.0-m1","v6.3.0-rc2","v6.3.0","v6.3.0-rc1","v6.3.0-m11","v6.3.0-m10","v6.3.0-m9","v6.3.0-m8","v6.3.0-m7","v6.3.0-m6","v6.3.0-m5","v6.3.0-m4","v6.3.0-m3","v6.3.0-m2","v6.3.0-m1","v6.2.0-rc2","v6.2.0","v6.2.0-rc1","v6.1.1-update24","v6.1.1-update23","v6.1.1-update22","v6.1.1-update21","v6.1.1-update20","v6.1.1-update19","v6.1.1-update18","v6.1.1-update17","v6.1.1-update16","v6.1.1-update15","v6.1.1-update14","v6.1.1-update13","v6.1.1-update12","v6.1.1-update11","v6.1.1-update10","v6.1.1-update9","v6.1.1-update8","v6.0.0-m1"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2023-6836.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"}]}