WSO2 Identity Server up to 5.1.0 eval-policy-submit.jsp xml external entity reference
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 6.0 | $0-$5k | 0.00 |
Summary
A vulnerability identified as critical has been detected in WSO2 Identity Server up to 5.1.0. Affected by this issue is some unknown functionality of the file entitlement/eval-policy-submit.jsp. The manipulation leads to xml external entity reference. This vulnerability is listed as CVE-2016-4312. The attack may be initiated remotely. In addition, an exploit is available. To fix this issue, it is recommended to deploy a patch.
Details
A vulnerability was found in WSO2 Identity Server up to 5.1.0 and classified as critical. This issue affects some unknown functionality of the file entitlement/eval-policy-submit.jsp. The manipulation with an unknown input leads to a xml external entity reference vulnerability. Using CWE to declare the problem leads to CWE-611. The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. Impacted is confidentiality, integrity, and availability. The summary by CVE is:
XML external entity (XXE) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 before WSO2-CARBON-PATCH-4.4.0-0231 allows remote authenticated users with access to XACML features to read arbitrary files, cause a denial of service, conduct server-side request forgery (SSRF) attacks, or have unspecified other impact via a crafted XACML request to entitlement/eval-policy-submit.jsp. NOTE: this issue can be combined with CVE-2016-4311 to exploit the vulnerability without credentials.
The bug was discovered 08/13/2016. The weakness was presented 02/17/2017 by John Page (hyp3rlinx) as confirmed posting (Bugtraq). It is possible to read the advisory at securityfocus.com. The identification of this vulnerability is CVE-2016-4312 since 04/27/2016. The attack may be initiated remotely. A simple authentication is required for exploitation. Technical details as well as a public exploit are known.
A public exploit has been developed by hyp3rlinx and been published even before and not after the advisory. The exploit is available at exploit-db.com. It is declared as proof-of-concept. The vulnerability was handled as a non-public zero-day exploit for at least 187 days. During that time the estimated underground price was around $0-$5k. By approaching the search of inurl:entitlement/eval-policy-submit.jsp it is possible to find vulnerable targets with Google Hacking.
Applying a patch is able to eliminate this problem.
The vulnerability is also documented in the databases at Exploit-DB (40239) and SecurityFocus (BID 92485†). See VDB-97042 for similar entry. Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Product
Vendor
Name
Version
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 6.2VulDB Meta Temp Score: 6.0
VulDB Base Score: 5.0
VulDB Temp Score: 4.5
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 7.5
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Xml external entity referenceCWE: CWE-611 / CWE-610
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Access: Public
Status: Proof-of-Concept
Author: hyp3rlinx
Download: 🔍
Google Hack: 🔍
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
OpenVAS ID: 800224
OpenVAS Name: WSO2 Identity Server CSRF And XXE Vulnerabilities
OpenVAS File: 🔍
OpenVAS Family: 🔍
Exploit-DB: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
0-Day Time: 🔍
Timeline
04/27/2016 🔍08/13/2016 🔍
08/16/2016 🔍
08/16/2016 🔍
08/16/2016 🔍
02/16/2017 🔍
02/17/2017 🔍
02/17/2017 🔍
09/13/2024 🔍
Sources
Advisory: securityfocus.com⛔Researcher: John Page (hyp3rlinx)
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2016-4312 (🔍)
GCVE (CVE): GCVE-0-2016-4312
GCVE (VulDB): GCVE-100-97043
SecurityFocus: 92485 - WSO2 Identity Server Cross Site Request Forgery and Information Disclosure Vulnerabilities
OSVDB: - CVE-2016-4312 - WSO2 - Identity Server - XML External Entity Issue
scip Labs: https://www.scip.ch/en/?labs.20161013
See also: 🔍
Entry
Created: 02/17/2017 11:40Updated: 09/13/2024 06:10
Changes: 02/17/2017 11:40 (78), 08/15/2020 11:38 (2), 09/13/2024 06:10 (17)
Complete: 🔍
Cache ID: 216::103
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.