CVE-2024-2374 Overview
CVE-2024-2374 is an XML External Entity (XXE) injection vulnerability affecting multiple WSO2 products. The XML parsers within these products accept user-supplied XML data without properly configuring restrictions to prevent the resolution of external entities. This security oversight allows malicious actors to craft XML payloads that exploit the parser's behavior, leading to the inclusion of external resources.
By leveraging this vulnerability, an attacker can read confidential files from the file system and access limited HTTP resources reachable by the affected product. Additionally, the vulnerability can be exploited to perform denial of service attacks by exhausting server resources through recursive entity expansion or fetching large external resources.
Critical Impact
Unauthenticated attackers can exploit this XXE vulnerability to read sensitive files from the server, perform SSRF attacks against internal services, and cause denial of service through resource exhaustion.
Affected Products
- WSO2 Products (Multiple - see WSO2 Security Advisory WSO2-2024-3255 for complete list)
Discovery Timeline
- 2026-04-16 - CVE CVE-2024-2374 published to NVD
- 2026-04-16 - Last updated in NVD database
Technical Details for CVE-2024-2374
Vulnerability Analysis
This vulnerability stems from improper configuration of XML parsers within WSO2 products, classified as CWE-611 (Improper Restriction of XML External Entity Reference). When XML parsers process user-supplied input without disabling external entity resolution, attackers can inject malicious XML documents containing entity declarations that reference external resources.
The XXE vulnerability enables multiple attack scenarios. File disclosure attacks allow retrieval of sensitive configuration files, credentials, and other confidential data from the server's file system. Server-Side Request Forgery (SSRF) becomes possible as the parser can be instructed to make HTTP requests to internal services that would otherwise be inaccessible. Resource exhaustion attacks through recursive entity expansion (commonly known as "Billion Laughs" or XML bomb attacks) can cause denial of service by consuming excessive memory and CPU resources.
Root Cause
The root cause is the failure to properly configure XML parsers to disable dangerous features before processing untrusted XML input. Specifically, the parsers do not disable:
- External general entity processing
- External parameter entity processing
- DTD (Document Type Definition) processing
When these features remain enabled, the parser will attempt to resolve any entity references in the XML document, including references to external files and URLs controlled by the attacker.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by submitting a malicious XML payload to any endpoint that processes XML input in the affected WSO2 products.
A typical XXE attack involves crafting an XML document with a DOCTYPE declaration containing an external entity definition. When the parser processes this document, it resolves the entity by reading the referenced file or making the specified HTTP request. The entity value is then included in the parsed output, potentially exposing sensitive data to the attacker.
For SSRF attacks, the external entity URL points to internal services, allowing the attacker to probe internal network infrastructure or interact with services behind the firewall. For denial of service, nested entity references create exponential expansion that overwhelms system resources.
Detection Methods for CVE-2024-2374
Indicators of Compromise
- Unusual XML requests containing DOCTYPE declarations or ENTITY references in application logs
- Unexpected file access attempts to sensitive configuration files such as /etc/passwd, application configuration files, or credential stores
- Outbound HTTP requests from the WSO2 server to unexpected internal or external destinations
- Elevated memory or CPU usage indicative of XML bomb attacks
Detection Strategies
- Monitor web application firewall (WAF) logs for XML payloads containing DTD declarations, SYSTEM, or PUBLIC keywords
- Implement network detection rules to identify XXE attack patterns in HTTP POST requests with XML content types
- Deploy SentinelOne Singularity XDR to detect and correlate suspicious file access patterns and network behavior associated with XXE exploitation
- Enable verbose logging on WSO2 products to capture XML parsing errors and entity resolution attempts
Monitoring Recommendations
- Configure alerts for any XML parsing exceptions or entity resolution failures in application logs
- Monitor for unauthorized access to sensitive file paths on systems running WSO2 products
- Track outbound network connections from WSO2 servers, particularly to internal IP ranges or metadata service endpoints
- Implement SentinelOne's behavioral AI to identify anomalous process behavior indicative of post-exploitation activity
How to Mitigate CVE-2024-2374
Immediate Actions Required
- Review the WSO2 Security Advisory WSO2-2024-3255 for specific affected product versions and apply available patches
- Identify all WSO2 product deployments in your environment and assess exposure
- Deploy web application firewall rules to block XML payloads containing DOCTYPE declarations and external entity references
- Restrict network access to WSO2 management interfaces and limit outbound connectivity from WSO2 servers
Patch Information
Refer to the WSO2 Security Advisory WSO2-2024-3255 for detailed patching instructions and affected version information. WSO2 has released security updates that properly configure XML parsers to disable external entity processing.
Workarounds
- If immediate patching is not possible, implement WAF rules to filter XML requests containing DTD declarations or entity references
- Consider implementing input validation at the application layer to reject XML documents with DOCTYPE declarations
- Restrict network egress from WSO2 servers to prevent SSRF exploitation of internal services
- Deploy SentinelOne endpoint protection to detect and prevent exploitation attempts and post-compromise activity
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
