CVE-2020-13883 : Security Advisory and Response

In WSO2 API Manager 3.0.0 and earlier, WSO2 API Microgateway 2.2.0, and WSO2 IS as Key Manager 5.9.0 and earlier, Management Console allows XXE during addition or update of a Lifecycle.

Understanding CVE-2020-13883

This CVE involves a vulnerability in the Management Console of specific WSO2 products that could lead to XXE attacks.

What is CVE-2020-13883?

CVE-2020-13883 is a security vulnerability found in WSO2 API Manager, WSO2 API Microgateway, and WSO2 IS as Key Manager versions prior to specified releases.

The Impact of CVE-2020-13883

The vulnerability has a CVSS base score of 5.5, with medium severity. It can result in high availability impact but low confidentiality and no integrity impact.

Technical Details of CVE-2020-13883

This section delves into the specifics of the vulnerability.

Vulnerability Description

The issue allows for XXE attacks during the addition or update of a Lifecycle in the Management Console of affected WSO2 products.

Affected Systems and Versions

WSO2 API Manager 3.0.0 and earlier
WSO2 API Microgateway 2.2.0
WSO2 IS as Key Manager 5.9.0 and earlier

Exploitation Mechanism

The vulnerability can be exploited through network access with high privileges required and no user interaction.

Mitigation and Prevention

To address CVE-2020-13883, follow these steps:

Immediate Steps to Take

Apply the necessary security patches provided by WSO2 for the affected products.
Restrict network access to the Management Console to trusted sources.

Long-Term Security Practices

Regularly update and patch all software components to prevent vulnerabilities.
Implement secure coding practices to mitigate XXE vulnerabilities.
Conduct security assessments and audits periodically.

Patching and Updates

Ensure that you update to the latest versions of WSO2 API Manager, WSO2 API Microgateway, and WSO2 IS as Key Manager to eliminate the XXE vulnerability.