Security Advisory WSO2-2016-0096

Published: August 12, 2016


WSO2 Identity Server 5.1.0 is vulnerable to XML External Entity (XXE) attacks in the XACML flow.


WSO2 Identity Server is vulnerable to XXE attack which is a type of attack against an application that parses XML input. When Identity Server is used with its XACML feature, it parses XACML requests and XACML policies which contain XML entries according to the XACML specification. This attack occurs when a XACML request or a policy containing a reference to an external entity is processed by a weakly configured XML parser.

In order to change the XACML policies, an attacker should be a privileged person and have access to XACML features in the Identity Server's management console or EntitlementPolicyAdminService admin service. Similarly, in order to send a malicious XACML request, an attacker should be a privileged user having access to XACML features in the Identity Server's management console or EntitlementService admin service.


XXE attacks can affect any trusted system respective to the machine where the parser is located. This attack can include disclosing local files, denial of service and server-side request forgery, port scanning and other system impact on affected systems.


Apply the following patches based on your products by following the instructions in the README file. Patches can also be downloaded from Security Patch Releases. If you have any questions, post them to

Code Product Version Patch
IS WSO2 Identity Server 5.1.0 WSO2-CARBON-PATCH-4.4.0-0231


If you are using newer versions of the products than the ones mentioned in the "SOLUTION" section, this vulnerability is fixed.