{"api_version":"1","generated_at":"2026-05-13T00:06:34+00:00","cve":"CVE-2024-2374","urls":{"html":"https://cve.report/CVE-2024-2374","api":"https://cve.report/api/cve/CVE-2024-2374.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2024-2374","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2024-2374"},"summary":{"title":"XML External Entity Injection in Multiple WSO2 Products Allows Arbitrary file read and Denial of Service","description":"The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. This omission allows malicious actors to craft XML payloads that exploit the parser's behavior, leading to the inclusion of external resources.\n\nBy leveraging this vulnerability, an attacker can read confidential files from the file system and access limited HTTP resources reachable by the product. Additionally, the vulnerability can be exploited to perform denial of service attacks by exhausting server resources through recursive entity expansion or fetching large external resources.","state":"PUBLISHED","assigner":"WSO2","published_at":"2026-04-16 09:16:34","updated_at":"2026-04-23 15:36:05"},"problem_types":["CWE-611","CWE-611 CWE-611: Improper Restriction of XML External Entity Reference ('XXE')"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"9.1","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"}},{"version":"3.1","source":"ed10eef1-636d-4fbe-9993-6890dfa878f8","type":"Secondary","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"CVSS","score":"7.5","severity":"HIGH","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","data":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","version":"3.1"}}],"references":[{"url":"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3255/","name":"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3255/","refsource":"ed10eef1-636d-4fbe-9993-6890dfa878f8","tags":["Vendor Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-2374","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-2374","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"WSO2","product":"WSO2 API Manager","version":"unknown 3.1.0 custom","platforms":[]},{"source":"CNA","vendor":"WSO2","product":"WSO2 API Manager","version":"affected 3.1.0 3.1.0.278 custom","platforms":[]},{"source":"CNA","vendor":"WSO2","product":"WSO2 API Manager","version":"affected 3.2.0 3.2.0.368 custom","platforms":[]},{"source":"CNA","vendor":"WSO2","product":"WSO2 API Manager","version":"affected 4.0.0 4.0.0.280 custom","platforms":[]},{"source":"CNA","vendor":"WSO2","product":"WSO2 API Manager","version":"affected 4.1.0 4.1.0.206 custom","platforms":[]},{"source":"CNA","vendor":"WSO2","product":"WSO2 API Manager","version":"affected 4.2.0 4.2.0.144 custom","platforms":[]},{"source":"CNA","vendor":"WSO2","product":"WSO2 API Manager","version":"affected 4.3.0 4.3.0.57 custom","platforms":[]},{"source":"CNA","vendor":"WSO2","product":"WSO2 Identity Server","version":"unknown 5.10.0 custom","platforms":[]},{"source":"CNA","vendor":"WSO2","product":"WSO2 Identity Server","version":"affected 5.10.0 5.10.0.300 custom","platforms":[]},{"source":"CNA","vendor":"WSO2","product":"WSO2 Identity Server","version":"affected 5.11.0 5.11.0.329 custom","platforms":[]},{"source":"CNA","vendor":"WSO2","product":"WSO2 Identity Server","version":"affected 6.0.0 6.0.0.179 custom","platforms":[]},{"source":"CNA","vendor":"WSO2","product":"WSO2 Identity Server","version":"affected 6.1.0 6.1.0.136 custom","platforms":[]},{"source":"CNA","vendor":"WSO2","product":"WSO2 Open Banking AM","version":"unknown 2.0.0 custom","platforms":[]},{"source":"CNA","vendor":"WSO2","product":"WSO2 Open Banking AM","version":"affected 2.0.0 2.0.0.328 custom","platforms":[]},{"source":"CNA","vendor":"WSO2","product":"WSO2 Open Banking IAM","version":"unknown 2.0.0 custom","platforms":[]},{"source":"CNA","vendor":"WSO2","product":"WSO2 Open Banking IAM","version":"affected 2.0.0 2.0.0.348 custom","platforms":[]},{"source":"CNA","vendor":"WSO2","product":"WSO2 Identity Server as Key Manager","version":"unknown 5.10.0 custom","platforms":[]},{"source":"CNA","vendor":"WSO2","product":"WSO2 Identity Server as Key Manager","version":"affected 5.10.0 5.10.0.296 custom","platforms":[]}],"timeline":[],"solutions":[{"source":"CNA","title":"","value":"Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3255/#solution","time":"","lang":"en"}],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2024","cve_id":"2374","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"wso2","cpe5":"api_manager","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2024","cve_id":"2374","cve":"CVE-2024-2374","epss":"0.000110000","percentile":"0.012950000","score_date":"2026-04-21","updated_at":"2026-04-22 00:07:41"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2024-2374","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2026-04-16T12:29:10.744728Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-04-16T12:30:49.250Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"WSO2 API Manager","vendor":"WSO2","versions":[{"lessThan":"3.1.0","status":"unknown","version":"0","versionType":"custom"},{"lessThan":"3.1.0.278","status":"affected","version":"3.1.0","versionType":"custom"},{"lessThan":"3.2.0.368","status":"affected","version":"3.2.0","versionType":"custom"},{"lessThan":"4.0.0.280","status":"affected","version":"4.0.0","versionType":"custom"},{"lessThan":"4.1.0.206","status":"affected","version":"4.1.0","versionType":"custom"},{"lessThan":"4.2.0.144","status":"affected","version":"4.2.0","versionType":"custom"},{"lessThan":"4.3.0.57","status":"affected","version":"4.3.0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"WSO2 Identity Server","vendor":"WSO2","versions":[{"lessThan":"5.10.0","status":"unknown","version":"0","versionType":"custom"},{"lessThan":"5.10.0.300","status":"affected","version":"5.10.0","versionType":"custom"},{"lessThan":"5.11.0.329","status":"affected","version":"5.11.0","versionType":"custom"},{"lessThan":"6.0.0.179","status":"affected","version":"6.0.0","versionType":"custom"},{"lessThan":"6.1.0.136","status":"affected","version":"6.1.0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"WSO2 Open Banking AM","vendor":"WSO2","versions":[{"lessThan":"2.0.0","status":"unknown","version":"0","versionType":"custom"},{"lessThan":"2.0.0.328","status":"affected","version":"2.0.0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"WSO2 Open Banking IAM","vendor":"WSO2","versions":[{"lessThan":"2.0.0","status":"unknown","version":"0","versionType":"custom"},{"lessThan":"2.0.0.348","status":"affected","version":"2.0.0","versionType":"custom"}]},{"defaultStatus":"unaffected","product":"WSO2 Identity Server as Key Manager","vendor":"WSO2","versions":[{"lessThan":"5.10.0","status":"unknown","version":"0","versionType":"custom"},{"lessThan":"5.10.0.296","status":"affected","version":"5.10.0","versionType":"custom"}]}],"cpeApplicability":[{"nodes":[{"cpeMatch":[{"criteria":"cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*","versionEndExcluding":"3.1.0.278","versionStartIncluding":"3.1.0","vulnerable":true},{"criteria":"cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*","versionEndExcluding":"3.2.0.368","versionStartIncluding":"3.2.0","vulnerable":true},{"criteria":"cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*","versionEndExcluding":"4.0.0.280","versionStartIncluding":"4.0.0","vulnerable":true},{"criteria":"cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*","versionEndExcluding":"4.1.0.206","versionStartIncluding":"4.1.0","vulnerable":true},{"criteria":"cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*","versionEndExcluding":"4.2.0.144","versionStartIncluding":"4.2.0","vulnerable":true},{"criteria":"cpe:2.3:a:wso2:wso2_api_manager:*:*:*:*:*:*:*:*","versionEndExcluding":"4.3.0.57","versionStartIncluding":"4.3.0","vulnerable":true}],"negate":false,"operator":"OR"},{"cpeMatch":[{"criteria":"cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.0.300","versionStartIncluding":"5.10.0","vulnerable":true},{"criteria":"cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*","versionEndExcluding":"5.11.0.329","versionStartIncluding":"5.11.0","vulnerable":true},{"criteria":"cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*","versionEndExcluding":"6.0.0.179","versionStartIncluding":"6.0.0","vulnerable":true},{"criteria":"cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*","versionEndExcluding":"6.1.0.136","versionStartIncluding":"6.1.0","vulnerable":true}],"negate":false,"operator":"OR"},{"cpeMatch":[{"criteria":"cpe:2.3:a:wso2:wso2_open_banking_am:*:*:*:*:*:*:*:*","versionEndExcluding":"2.0.0.328","versionStartIncluding":"2.0.0","vulnerable":true}],"negate":false,"operator":"OR"},{"cpeMatch":[{"criteria":"cpe:2.3:a:wso2:wso2_open_banking_iam:*:*:*:*:*:*:*:*","versionEndExcluding":"2.0.0.348","versionStartIncluding":"2.0.0","vulnerable":true}],"negate":false,"operator":"OR"},{"cpeMatch":[{"criteria":"cpe:2.3:a:wso2:wso2_identity_server_as_key_manager:*:*:*:*:*:*:*:*","versionEndExcluding":"5.10.0.296","versionStartIncluding":"5.10.0","vulnerable":true}],"negate":false,"operator":"OR"}],"operator":"OR"}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. This omission allows malicious actors to craft XML payloads that exploit the parser's behavior, leading to the inclusion of external resources.\n\nBy leveraging this vulnerability, an attacker can read confidential files from the file system and access limited HTTP resources reachable by the product. Additionally, the vulnerability can be exploited to perform denial of service attacks by exhausting server resources through recursive entity expansion or fetching large external resources."}],"value":"The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. This omission allows malicious actors to craft XML payloads that exploit the parser's behavior, leading to the inclusion of external resources.\n\nBy leveraging this vulnerability, an attacker can read confidential files from the file system and access limited HTTP resources reachable by the product. Additionally, the vulnerability can be exploited to perform denial of service attacks by exhausting server resources through recursive entity expansion or fetching large external resources."}],"impacts":[{"capecId":"CAPEC-113","descriptions":[{"lang":"en","value":"CAPEC-113 CAPEC-113: XML External Entity Expansion"}]},{"capecId":"CAPEC-602","descriptions":[{"lang":"en","value":"CAPEC-602 CAPEC-602: XML Entity Injection"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-611","description":"CWE-611: Improper Restriction of XML External Entity Reference ('XXE')","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-16T08:12:58.247Z","orgId":"ed10eef1-636d-4fbe-9993-6890dfa878f8","shortName":"WSO2"},"references":[{"tags":["vendor-advisory"],"url":"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3255/"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"<span style=\"background-color: transparent;\">Follow the instructions given on </span><a target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3255/#solution\"><span style=\"background-color: transparent;\">https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3255/#solution</span></a> <br>"}],"value":"Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3255/#solution"}],"source":{"advisory":"WSO2-2024-3255","discovery":"INTERNAL"},"title":"XML External Entity Injection in Multiple WSO2 Products Allows Arbitrary file read and Denial of Service","x_generator":{"engine":"Vulnogram 0.2.0"}}},"cveMetadata":{"assignerOrgId":"ed10eef1-636d-4fbe-9993-6890dfa878f8","assignerShortName":"WSO2","cveId":"CVE-2024-2374","datePublished":"2026-04-16T08:12:58.247Z","dateReserved":"2024-03-11T13:41:10.687Z","dateUpdated":"2026-04-16T12:30:49.250Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-16 09:16:34","lastModifiedDate":"2026-04-23 15:36:05","problem_types":["CWE-611","CWE-611 CWE-611: Improper Restriction of XML External Entity Reference ('XXE')"],"metrics":{"cvssMetricV31":[{"source":"ed10eef1-636d-4fbe-9993-6890dfa878f8","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","baseScore":7.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":3.6},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"HIGH"},"exploitabilityScore":3.9,"impactScore":5.2}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*","versionStartIncluding":"3.1.0","versionEndExcluding":"3.1.0.278","matchCriteriaId":"1B6F9E48-4644-4CDD-9B0F-44660DF3B4A1"},{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*","versionStartIncluding":"3.2.0","versionEndExcluding":"3.2.0.368","matchCriteriaId":"248A7D7B-73D8-4657-A4CC-323E12276CB7"},{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*","versionStartIncluding":"4.0.0","versionEndExcluding":"4.0.0.280","matchCriteriaId":"ED1FAFC6-11E5-411A-AAEB-25ABEF1D72B8"},{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*","versionStartIncluding":"4.1.0","versionEndExcluding":"4.1.0.206","matchCriteriaId":"6120C68E-AAE8-4BB8-8AFD-297DD9ECB685"},{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*","versionStartIncluding":"4.2.0","versionEndExcluding":"4.2.0.144","matchCriteriaId":"9E61F23D-2F8E-4327-8907-7CDECA282C3B"},{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*","versionStartIncluding":"4.3.0","versionEndExcluding":"4.3.0.57","matchCriteriaId":"BCB50C71-44D7-4E41-BBF7-2676885B85F7"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:identity_server:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.0","versionEndExcluding":"5.10.0.300","matchCriteriaId":"F33E4771-4C7C-4709-9C44-150BA9059C28"},{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:identity_server:*:*:*:*:*:*:*:*","versionStartIncluding":"5.11.0","versionEndExcluding":"5.11.0.329","matchCriteriaId":"34DC11D9-F546-46F0-9151-61B578751D14"},{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:identity_server:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0.0","versionEndExcluding":"6.0.0.179","matchCriteriaId":"DDFD8A2E-03A0-4337-BA8D-901512EFE806"},{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:identity_server:*:*:*:*:*:*:*:*","versionStartIncluding":"6.1.0","versionEndExcluding":"6.1.0.136","matchCriteriaId":"B7D0FAC4-60BD-4339-9EC5-4A744B97BFEE"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:identity_server_as_key_manager:*:*:*:*:*:*:*:*","versionStartIncluding":"5.10.0","versionEndExcluding":"5.10.0.296","matchCriteriaId":"4F3B47AD-CF9F-4B1C-827C-966838CB0DF0"}]}]},{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:open_banking_am:*:*:*:*:*:*:*:*","versionStartIncluding":"2.0.0","versionEndExcluding":"2.0.0.328","matchCriteriaId":"66F5AFF1-B448-44B2-AB88-8149E475A219"},{"vulnerable":true,"criteria":"cpe:2.3:a:wso2:open_banking_iam:*:*:*:*:*:*:*:*","versionStartIncluding":"2.0.0","versionEndExcluding":"2.0.0.348","matchCriteriaId":"A2E44C59-E748-430C-9EE4-4A568061DB29"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2024","CveId":"2374","Ordinal":"1","Title":"XML External Entity Injection in Multiple WSO2 Products Allows A","CVE":"CVE-2024-2374","Year":"2024"},"notes":[{"CveYear":"2024","CveId":"2374","Ordinal":"1","NoteData":"The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution of external entities. This omission allows malicious actors to craft XML payloads that exploit the parser's behavior, leading to the inclusion of external resources.\n\nBy leveraging this vulnerability, an attacker can read confidential files from the file system and access limited HTTP resources reachable by the product. Additionally, the vulnerability can be exploited to perform denial of service attacks by exhausting server resources through recursive entity expansion or fetching large external resources.","Type":"Description","Title":"XML External Entity Injection in Multiple WSO2 Products Allows A"}]}}}