[
https://issues.apache.org/jira/browse/LOG4NET-575?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16161928#comment-16161928
]
Dominik Psenner commented on LOG4NET-575:
-----------------------------------------
Hi,
Thanks for your report. We take security issues very serious and are evaluating
possible attack vectors. Please redirect further discussion and information to
the logging pmc mailing list. Would you please send an email there so that we
have a way to stay in contact?
Best regards,
Dominik
> log4net function having XXE vulnerability
> ------------------------------------------
>
> Key: LOG4NET-575
> URL: https://issues.apache.org/jira/browse/LOG4NET-575
> Project: Log4net
> Issue Type: Improvement
> Components: Core
> Affects Versions: 2.0.7, 2.0.8
> Environment: Windows 7, C#, nuget, .NET 4.5 and Visual Studio 2012.
> Reporter: karthik kumar balasundaram
> Labels: patch
> Fix For: 2.0.7, 2.0.8
>
> Attachments: veracode_report.jpg
>
>
> Recently we ran veracode (security tool) for our application. Veracode gave
> us the report that log4net function 'void
> InternalConfigure(Repository.ILoggerRepository, System.IO.Stream)' has
> Improper Restriction of XML External Entity Reference (XXE) error. We are
> seeing this vulnerability in both 2.0.7 and 2.0.8 versions.
> Attached screenshot for further reference.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
