CVE-2016-4311 Wso2 CVE debrief

Who should care

Organizations running WSO2 Identity Server 5.1.0, especially administrators or privileged users who use the XACML entitlement flow and access the entitlement/eval-policy-submit.jsp endpoint.

Technical summary

The vulnerability is a CSRF flaw in the XACML flow feature. Because the affected request can be triggered through a privileged user’s authenticated browser session, an attacker may cause that user to perform XACML request-processing actions without intent. NVD identifies the weakness as CWE-352 and lists the vulnerable CPE as wso2:identity_server:5.1.0.

Defensive priority

High. The issue is network-reachable and requires only user interaction from a privileged authenticated user, while the recorded impact is high across confidentiality, integrity, and availability.

Recommended defensive actions

• Review WSO2 Security Advisory WSO2-2016-0096 and apply the vendor-recommended fix or update path.
• Verify whether WSO2 Identity Server 5.1.0 is deployed and whether the entitlement/eval-policy-submit.jsp flow is reachable.
• Enforce CSRF protections on state-changing endpoints and confirm that privileged administrative workflows require anti-CSRF tokens.
• Limit exposure of administrative interfaces and reduce the number of privileged users who can access the XACML flow.
• Validate that web sessions use secure browser-side controls appropriate for admin actions, and retest after remediation.

Evidence notes

This debrief is based on the CVE/NVD record and its referenced vendor advisory. The CVE was published on 2017-02-17 and later modified on 2026-05-13 in the supplied source data. NVD lists the weakness as CWE-352 and the CVSS vector as AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The source metadata also references third-party exploit/advisory pages, but this summary does not rely on them for technical detail.

Official resources