{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "cpe": [
              "cpe:2.3:a:wso2:api_manager:2.6.0:*:*:*:*:*:*:*",
              "cpe:2.3:a:wso2:api_manager:3.0.0:*:*:*:*:*:*:*",
              "cpe:2.3:a:wso2:api_manager:3.1.0:*:*:*:*:*:*:*",
              "cpe:2.3:a:wso2:api_manager:3.2.0:*:*:*:*:*:*:*",
              "cpe:2.3:a:wso2:api_manager:4.0.0:*:*:*:*:*:*:*"
            ],
            "extracted_events": [
              {
                "introduced": "2.6.0"
              },
              {
                "last_affected": "2.6.0"
              },
              {
                "introduced": "3.0.0"
              },
              {
                "last_affected": "3.0.0"
              },
              {
                "introduced": "3.1.0"
              },
              {
                "last_affected": "3.1.0"
              },
              {
                "introduced": "3.2.0"
              },
              {
                "last_affected": "3.2.0"
              },
              {
                "introduced": "4.0.0"
              },
              {
                "last_affected": "4.0.0"
              }
            ],
            "source": "CPE_STRING"
          },
          "events": [
            {
              "introduced": "a87463944acbc28f14c0af2a32dc30310147a0be"
            },
            {
              "last_affected": "cf00d9e6cb083f94abae11818794f62cd5c94079"
            }
          ],
          "repo": "https://github.com/wso2/product-apim",
          "type": "GIT"
        }
      ],
      "versions": [
        "2.6.0",
        "3.0.0",
        "3.1.0",
        "3.2.0",
        "4.0.0"
      ]
    }
  ],
  "database_specific": {
    "unresolved_ranges": [
      {
        "cpes": [
          "cpe:2.3:a:wso2:identity_server:5.10.0:*:*:*:*:*:*:*",
          "cpe:2.3:a:wso2:identity_server:5.11.0:*:*:*:*:*:*:*",
          "cpe:2.3:a:wso2:identity_server:5.7.0:*:*:*:*:*:*:*",
          "cpe:2.3:a:wso2:identity_server:5.8.0:*:*:*:*:*:*:*",
          "cpe:2.3:a:wso2:identity_server:5.9.0:*:*:*:*:*:*:*"
        ],
        "extracted_events": [
          {
            "introduced": "5.7.0"
          },
          {
            "last_affected": "5.7.0"
          },
          {
            "introduced": "5.8.0"
          },
          {
            "last_affected": "5.8.0"
          },
          {
            "introduced": "5.9.0"
          },
          {
            "last_affected": "5.9.0"
          },
          {
            "introduced": "5.10.0"
          },
          {
            "last_affected": "5.10.0"
          },
          {
            "introduced": "5.11.0"
          },
          {
            "last_affected": "5.11.0"
          }
        ],
        "source": "CPE_STRING",
        "vendor_product": "wso2:identity_server"
      },
      {
        "cpes": [
          "cpe:2.3:a:wso2:identity_server_as_key_manager:5.10.0:*:*:*:*:*:*:*",
          "cpe:2.3:a:wso2:identity_server_as_key_manager:5.7.0:*:*:*:*:*:*:*",
          "cpe:2.3:a:wso2:identity_server_as_key_manager:5.9.0:*:*:*:*:*:*:*"
        ],
        "extracted_events": [
          {
            "introduced": "5.7.0"
          },
          {
            "last_affected": "5.7.0"
          },
          {
            "introduced": "5.9.0"
          },
          {
            "last_affected": "5.9.0"
          },
          {
            "introduced": "5.10.0"
          },
          {
            "last_affected": "5.10.0"
          }
        ],
        "source": "CPE_STRING",
        "vendor_product": "wso2:identity_server_as_key_manager"
      }
    ]
  },
  "details": "XML External Entity (XXE) vulnerability in the file based service provider creation feature of the Management Console in WSO2 API Manager 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; and WSO2 IS as Key Manager 5.7.0, 5.9.0, and 5.10.0; and WSO2 Identity Server 5.7.0, 5.8.0, 5.9.0, 5.10.0, and 5.11.0. Allows attackers to gain read access to sensitive information or cause a denial of service via crafted GET requests.",
  "id": "CVE-2021-42646",
  "modified": "2026-07-18T03:42:01.508952275Z",
  "published": "2022-05-11T18:15:23.053Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "http://packetstormsecurity.com/files/167465/WSO2-Management-Console-XML-Injection.html"
    },
    {
      "type": "ADVISORY",
      "url": "http://seclists.org/fulldisclosure/2022/Jun/7"
    },
    {
      "type": "ADVISORY",
      "url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2021-1289/"
    },
    {
      "type": "FIX",
      "url": "https://github.com/wso2/carbon-identity-framework/pull/3472"
    }
  ],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}