CVE-2016-4312
published 2017-02-17CVE-2016-4312: XML external entity (XXE) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 before WSO2-CARBON-PATCH-4.4.0-0231 allows remote authenticated…
PriorityP352high7.5CVSS 3.0
AVNACHPRLUINSUCHIHAH
EXPLOIT
EPSS
6.00%
92.4th percentile
XML external entity (XXE) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 before WSO2-CARBON-PATCH-4.4.0-0231 allows remote authenticated users with access to XACML features to read arbitrary files, cause a denial of service, conduct server-side request forgery (SSRF) attacks, or have unspecified other impact via a crafted XACML request to entitlement/eval-policy-submit.jsp. NOTE: this issue can be combined with CVE-2016-4311 to exploit the vulnerability without credentials.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux_kernel | >= 0 < 3.13.0-83.127 | 3.13.0-83.127 |
| wso2 | identity_server | — | — |
CVSS provenance
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
osv6.2MEDIUM
vendor_redhat6.2MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rx7g-4gvj-h8m6: XML external entity (XXE) vulnerability in the XACML flow feature in WSO2 Identity Server 5
ghsa_unreviewed·2022-05-14·CVSS 8.8
CVE-2016-4312 [HIGH] CWE-611 GHSA-rx7g-4gvj-h8m6: XML external entity (XXE) vulnerability in the XACML flow feature in WSO2 Identity Server 5
XML external entity (XXE) vulnerability in the XACML flow feature in WSO2 Identity Server 5.1.0 before WSO2-CARBON-PATCH-4.4.0-0231 allows remote authenticated users with access to XACML features to read arbitrary files, cause a denial of service, conduct server-side request forgery (SSRF) attacks, or have unspecified other impact via a crafted XACML request to entitlement/eval-policy-submit.jsp. NOTE: this issue can be combined with CVE-2016-4311 to exploit the vulnerability without credentials.
OSV
linux-lts-vivid vulnerabilities
osv·2016-03-14·CVSS 6.2
CVE-2016-3134 linux-lts-vivid vulnerabilities
linux-lts-vivid vulnerabilities
Ben Hawkes discovered that the Linux netfilter implementation did not
correctly perform validation when handling IPT_SO_SET_REPLACE events. A
local unprivileged attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code with administrative
privileges. (CVE-2016-3134)
It was discovered that the Linux kernel did not properly enforce rlimits
for file descriptors sent over UNIX domain sockets. A local attacker could
use this to cause a denial of service. (CVE-2013-4312)
Ralf Spenneberg discovered that the USB driver for Clie devices in the
Linux kernel did not properly validate the endpoints reported by the
device. An attacker with physical access could cause a denial of service
(system crash). (CVE-2015-7566)
Ralf
OSV
linux-lts-utopic vulnerabilities
osv·2016-03-14·CVSS 6.2
CVE-2016-3134 linux-lts-utopic vulnerabilities
linux-lts-utopic vulnerabilities
Ben Hawkes discovered that the Linux netfilter implementation did not
correctly perform validation when handling IPT_SO_SET_REPLACE events. A
local unprivileged attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code with administrative
privileges. (CVE-2016-3134)
It was discovered that the Linux kernel did not properly enforce rlimits
for file descriptors sent over UNIX domain sockets. A local attacker could
use this to cause a denial of service. (CVE-2013-4312)
It was discovered that a race condition existed when handling heartbeat-
timeout events in the SCTP implementation of the Linux kernel. A remote
attacker could use this to cause a denial of service. (CVE-2015-8767)
Andy Lutomirski discovered a race
OSV
linux vulnerabilities
osv·2016-03-14·CVSS 6.2
CVE-2016-3134 linux vulnerabilities
linux vulnerabilities
Ben Hawkes discovered that the Linux netfilter implementation did not
correctly perform validation when handling IPT_SO_SET_REPLACE events. A
local unprivileged attacker could use this to cause a denial of service
(system crash) or possibly execute arbitrary code with administrative
privileges. (CVE-2016-3134)
It was discovered that the Linux kernel did not properly enforce rlimits
for file descriptors sent over UNIX domain sockets. A local attacker could
use this to cause a denial of service. (CVE-2013-4312)
Ralf Spenneberg discovered that the USB driver for Clie devices in the
Linux kernel did not properly validate the endpoints reported by the
device. An attacker with physical access could cause a denial of service
(system crash). (CVE-2015-7566)
Ralf Spenneber
OSV
linux-lts-wily vulnerabilities
osv·2016-02-22·CVSS 6.2
CVE-2016-1576 linux-lts-wily vulnerabilities
linux-lts-wily vulnerabilities
halfdog discovered that OverlayFS, when mounting on top of a FUSE mount,
incorrectly propagated file attributes, including setuid. A local
unprivileged attacker could use this to gain privileges. (CVE-2016-1576)
halfdog discovered that OverlayFS in the Linux kernel incorrectly
propagated security sensitive extended attributes, such as POSIX ACLs. A
local unprivileged attacker could use this to gain privileges.
(CVE-2016-1575)
It was discovered that the Linux kernel did not properly enforce rlimits
for file descriptors sent over UNIX domain sockets. A local attacker could
use this to cause a denial of service. (CVE-2013-4312)
It was discovered that the Linux kernel's Filesystem in Userspace (FUSE)
implementation did not handle initial zero length segments
Red Hat
kernel: incorrectly accounted in-flight fds
vendor_redhat·2016-02-22·CVSS 6.2
CVE-2016-2550 [MEDIUM] CWE-400 kernel: incorrectly accounted in-flight fds
kernel: incorrectly accounted in-flight fds
The Linux kernel before 4.5 allows local users to bypass file-descriptor limits and cause a denial of service (memory consumption) by leveraging incorrect tracking of descriptor ownership and sending each descriptor over a UNIX socket before closing it. NOTE: this vulnerability exists because of an incorrect fix for CVE-2013-4312.
A resource-exhaustion vulnerability was found in the kernel, where an unprivileged process could allocate and accumulate far more file descriptors than the process' limit. A local, unauthenticated user could exploit this flaw by sending file descriptors over a Unix socket and then closing them to keep the process' fd count low, thereby creating kernel-memory or file-descriptors exhaustion (denial of service).
Stateme
No detection rules found.
Bugzilla
CVE-2016-2550 kernel: incorrectly accounted in-flight fds
bugzilla·2016-02-24·CVSS 6.2
CVE-2016-2550 [MEDIUM] CVE-2016-2550 kernel: incorrectly accounted in-flight fds
CVE-2016-2550 kernel: incorrectly accounted in-flight fds
The fix for CVE-2013-4312 incorrectly accounted the
number of in-flight fds over a unix domain socket to the original
opener of the file-descriptor. This allows another process to
arbitrary deplete the original file-openers resource limit for the
maximum of open files.
CVE-ID request and assignment:
http://seclists.org/oss-sec/2016/q1/401
http://seclists.org/oss-sec/2016/q1/412
Upstream patch:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=415e3d3e90ce9e18727e8843ae343eda5a58fad6
Commit, which introduced the issue (it was addressing CVE-2013-4312):
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=712f4aad406bb1ed67f3f98d04c044191f0ff593
Discussion:
Created kernel trackin
Bugzilla
CVE-2013-4312 kernel: File descriptors passed over unix sockets are not properly accounted
bugzilla·2016-01-12·CVSS 6.2
CVE-2013-4312 [MEDIUM] CVE-2013-4312 kernel: File descriptors passed over unix sockets are not properly accounted
CVE-2013-4312 kernel: File descriptors passed over unix sockets are not properly accounted
It was found that process could allocate and accumulate far more FDs than the process' limit by sending them over a unix socket then closing them to keep the process' fd count low, which could result into a local DoS against kernel by depleting all available memory.
Upstream patch:
https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=712f4aad406b
Discussion:
https://lkml.org/lkml/2015/12/28/155
Discussion:
This issue went public via debian security advisory:
https://www.debian.org/security/2016/dsa-3448
---
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 1300216]
---
Statement:
This issue affects the Linux kernel packages as shipped with Red Hat En
http://hyp3rlinx.altervista.org/advisories/WSO2-IDENTITY-SERVER-v5.1.0-XML-External-Entity.txthttp://packetstormsecurity.com/files/138329/WSO2-Identity-Server-5.1.0-XML-Injection.htmlhttp://www.securityfocus.com/archive/1/539199/100/0/threadedhttp://www.securityfocus.com/bid/92485https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2016-0096https://www.exploit-db.com/exploits/40239/http://hyp3rlinx.altervista.org/advisories/WSO2-IDENTITY-SERVER-v5.1.0-XML-External-Entity.txthttp://packetstormsecurity.com/files/138329/WSO2-Identity-Server-5.1.0-XML-Injection.htmlhttp://www.securityfocus.com/archive/1/539199/100/0/threadedhttp://www.securityfocus.com/bid/92485https://docs.wso2.com/display/Security/Security+Advisory+WSO2-2016-0096https://www.exploit-db.com/exploits/40239/
2017-02-17
Published