Uploaded image for project: 'Log4net'
  1. Log4net
  2. LOG4NET-575

log4net function having XXE vulnerability

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 2.0.7, 2.0.8
    • 2.0.10
    • Core
    • Windows 7, C#, nuget, .NET 4.5 and Visual Studio 2012.
    • Patch, Important

    Description

      Recently we ran veracode (security tool) for our application. Veracode gave us the report that log4net function 'void InternalConfigure(Repository.ILoggerRepository, System.IO.Stream)' has Improper Restriction of XML External Entity Reference (XXE) error. We are seeing this vulnerability in both 2.0.7 and 2.0.8 versions.

      Attached screenshot for further reference.

      Attachments

        1. veracode_report.jpg
          120 kB
          Karthik Kumar Balasundaram

        Activity

          People

            nachbarslumpi Dominik Psenner
            bkarthikk Karthik Kumar Balasundaram
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: