PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-4312 Wso2 CVE debrief

CVE-2016-4312 affects WSO2 Identity Server 5.1.0 and is a high-impact XML external entity (XXE) issue in the XACML flow feature. A crafted XACML request sent to entitlement/eval-policy-submit.jsp can trigger unsafe XML processing, which may allow an authenticated attacker with access to XACML features to read local files, cause denial of service, or perform server-side request forgery (SSRF). The vulnerability is listed as CWE-611 and was assigned a high-severity CVSS score in NVD.

Vendor
Wso2
Product
CVE-2016-4312
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-17
Original CVE updated
2026-05-13
Advisory published
2017-02-17
Advisory updated
2026-05-13

Who should care

WSO2 Identity Server administrators, IAM platform owners, and security teams responsible for systems exposing XACML features or entitlement/eval-policy-submit.jsp should prioritize this issue, especially where authenticated users can reach the XACML flow.

Technical summary

NVD describes the flaw as an XXE condition in the XACML flow feature of WSO2 Identity Server 5.1.0, vulnerable before WSO2-CARBON-PATCH-4.4.0-0231. The issue is triggered through a crafted XACML request and can lead to arbitrary file reads, SSRF, denial of service, and other unspecified impact. NVD maps the weakness to CWE-611 and reports CVSS v3.0 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H.

Defensive priority

High. The affected component is an identity and policy enforcement service, and the described outcomes include data exposure and SSRF. Apply remediation promptly if the XACML flow feature is in use or reachable from trusted user paths.

Recommended defensive actions

  • Apply the vendor fix referenced in WSO2 security advisory WSO2-2016-0096, including WSO2-CARBON-PATCH-4.4.0-0231 or later.
  • Restrict access to XACML features and entitlement/eval-policy-submit.jsp to the smallest possible set of trusted administrators and users.
  • Review XML parsing settings in the affected deployment to ensure external entity resolution is disabled where appropriate.
  • Monitor logs for unusual XACML requests, unexpected outbound network access, and file access errors that could indicate XXE activity.
  • If CVE-2016-4311 is also present in the environment, treat the combined risk as more severe because the description notes the issue may be exploitable without credentials.

Evidence notes

This debrief is based on the NVD record and the vendor advisory reference listed in NVD. NVD identifies the weakness as CWE-611 and provides the CVSS v3.0 vector AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. The published CVE date used here is 2017-02-17, with NVD modified metadata updated on 2026-05-13. Third-party exploit and advisory references are present in the source corpus, but only the vendor/NVD descriptions were used for the summary.

Official resources

CVE-2016-4312 was published on 2017-02-17. NVD metadata was last modified on 2026-05-13. The source corpus includes the WSO2 security advisory WSO2-2016-0096 and multiple third-party references.