[LOG4NET-575] log4net function having XXE vulnerability - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 2.0.7, 2.0.8
Fix Version/s: 2.0.10
Component/s: Core
Labels:
- patch
Environment:
Windows 7, C#, nuget, .NET 4.5 and Visual Studio 2012.

Flags:

Patch, Important

Description

Recently we ran veracode (security tool) for our application. Veracode gave us the report that log4net function 'void InternalConfigure(Repository.ILoggerRepository, System.IO.Stream)' has Improper Restriction of XML External Entity Reference (XXE) error. We are seeing this vulnerability in both 2.0.7 and 2.0.8 versions.

Attached screenshot for further reference.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

veracode_report.jpg
11/Sep/17 17:09
120 kB
Karthik Kumar Balasundaram

Activity

People

Assignee:: Dominik Psenner

Reporter:: Karthik Kumar Balasundaram

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 11/Sep/17 17:11

Updated:: 12/Sep/20 18:09

Resolved:: 12/Sep/20 18:09