XML External Entity Vulnerability in WSO2 Identity Server by WSO2
CVE-2016-4312

7.5HIGH

Key Information:

Vendor: Wso2
Status: Identity Server
Vendor: CVE Published:; 17 February 2017

What is CVE-2016-4312?

The XML External Entity (XXE) vulnerability in the XACML flow feature of WSO2 Identity Server 5.1.0 enables remote authenticated users with access to XACML features to exploit crafted XACML requests. This vulnerability may permit unauthorized access to arbitrary files, lead to denial of service, and facilitate server-side request forgery (SSRF) attacks. It poses significant risk if combined with other vulnerabilities, allowing exploitation without authentication.

References

https://www.exploit-db.com/exploits/40239/

exploitx_refsource_EXPLOIT-DB

http://www.securityfocus.com/archive/1/539199/100/0/threaded

mailing-listx_refsource_BUGTRAQ

http://www.securityfocus.com/bid/92485

vdb-entryx_refsource_BID

EPSS Score

5% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 17, 2017
Vulnerability Reserved
Apr 27, 2016

Wso2

What is CVE-2016-4312?

References

EPSS Score

CVSS V3.1

Timeline