You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@logging.apache.org by "karthik kumar balasundaram (JIRA)" <ji...@apache.org> on 2017/09/11 17:12:00 UTC

[jira] [Created] (LOG4NET-575) log4net function having XXE vulnerability

karthik kumar balasundaram created LOG4NET-575:
--------------------------------------------------

             Summary: log4net function having XXE vulnerability 
                 Key: LOG4NET-575
                 URL: https://issues.apache.org/jira/browse/LOG4NET-575
             Project: Log4net
          Issue Type: Improvement
          Components: Core
    Affects Versions: 2.0.8, 2.0.7
         Environment: Windows 7, C#, nuget, .NET 4.5 and Visual Studio 2012. 
            Reporter: karthik kumar balasundaram
             Fix For: 2.0.9, 2.0.8
         Attachments: veracode_report.jpg

Recently we ran veracode (security tool) for our application. Veracode gave us the report that log4net function 'void InternalConfigure(Repository.ILoggerRepository, System.IO.Stream)' has Improper Restriction of XML External Entity Reference (XXE) error. We are seeing this vulnerability in both 2.0.7 and 2.0.8 versions. 

Attached screenshot for further reference.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)