karthik kumar balasundaram created LOG4NET-575:
--------------------------------------------------
Summary: log4net function having XXE vulnerability
Key: LOG4NET-575
URL: https://issues.apache.org/jira/browse/LOG4NET-575
Project: Log4net
Issue Type: Improvement
Components: Core
Affects Versions: 2.0.8, 2.0.7
Environment: Windows 7, C#, nuget, .NET 4.5 and Visual Studio 2012.
Reporter: karthik kumar balasundaram
Fix For: 2.0.9, 2.0.8
Attachments: veracode_report.jpg
Recently we ran veracode (security tool) for our application. Veracode gave us
the report that log4net function 'void
InternalConfigure(Repository.ILoggerRepository, System.IO.Stream)' has Improper
Restriction of XML External Entity Reference (XXE) error. We are seeing this
vulnerability in both 2.0.7 and 2.0.8 versions.
Attached screenshot for further reference.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
