Vulnerabilities > CVE-2016-4312 - XXE vulnerability in Wso2 Identity Server 5.1.0

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
LOW
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
high complexity
wso2
CWE-611
exploit available

Summary

XML external entity (XXE) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 before WSO2-CARBON-PATCH-4.4.0-0231 allows remote authenticated users with access to XACML features to read arbitrary files, cause a denial of service, conduct server-side request forgery (SSRF) attacks, or have unspecified other impact via a crafted XACML request to entitlement/eval-policy-submit.jsp. NOTE: this issue can be combined with CVE-2016-4311 to exploit the vulnerability without credentials.

Vulnerable Configurations

Part Description Count
Application
Wso2
1

Exploit-Db

descriptionWSO2 Identity Server 5.1.0 - Multiple Vulnerabilities. CVE-2016-4311,CVE-2016-4312. Webapps exploit for JSP platform
fileexploits/jsp/webapps/40239.txt
idEDB-ID:40239
last seen2016-08-16
modified2016-08-16
platformjsp
port
published2016-08-16
reporterhyp3rlinx
titleWSO2 Identity Server 5.1.0 - Multiple Vulnerabilities
typewebapps

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/138329/WSO2-IDENTITY-SERVER-v5.1.0-XML-External-Entity.txt
idPACKETSTORM:138329
last seen2016-12-05
published2016-08-13
reporterhyp3rlinx
sourcehttps://packetstormsecurity.com/files/138329/WSO2-Identity-Server-5.1.0-XML-Injection.html
titleWSO2 Identity Server 5.1.0 XML Injection