Uploaded image for project: 'Log4net'
  1. Log4net
  2. LOG4NET-575

log4net function having XXE vulnerability

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.0.7, 2.0.8
    • Fix Version/s: 2.1.0
    • Component/s: Core
    • Labels:
    • Environment:
      Windows 7, C#, nuget, .NET 4.5 and Visual Studio 2012.
    • Flags:
      Patch, Important

      Description

      Recently we ran veracode (security tool) for our application. Veracode gave us the report that log4net function 'void InternalConfigure(Repository.ILoggerRepository, System.IO.Stream)' has Improper Restriction of XML External Entity Reference (XXE) error. We are seeing this vulnerability in both 2.0.7 and 2.0.8 versions.

      Attached screenshot for further reference.

        Attachments

        1. veracode_report.jpg
          120 kB
          Karthik Kumar Balasundaram

          Activity

            People

            • Assignee:
              nachbarslumpi Dominik Psenner
              Reporter:
              bkarthikk Karthik Kumar Balasundaram
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: