Skip to main content

CVE-2014-0119

Severity

6.8

Description

Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to (1) read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or (2) read files associated with different web applications on a single Tomcat instance via a crafted web application.

Mitigation

We recommend upgrading to a version of this component that is not vulnerable to this specific issue.

Related links:

Project

Apache Tomcat

Apache TomEE

Category
n/a
Tags
operational
Date Disclosed

2014-05-31

Date Discovered

2013-12-03

Apache Tomcat 8.0.x

First release:
2014-06-25
First release:
2018-06-30
CVEs:
55
Support Lifecycle:
Namespace:
javax
8.0.18.0.38.0.5

Apache Tomcat 6.0.x

First release:
2007-02-28
First release:
2016-12-31
CVEs:
50
Support Lifecycle:
Namespace:
javax
6.0.136.0.146.0.166.0.186.0.206.0.246.0.266.0.286.0.296.0.306.0.326.0.336.0.356.0.366.0.376.0.39

Apache TomEE 1.6.x

First release:
2013-11-17
CVEs:
108
Support Lifecycle:
Namespace:
javax
1.6.01.6.0.11.6.0.2

Apache TomEE 1.5.x

First release:
2012-09-28
CVEs:
119
Support Lifecycle:
Namespace:
javax
1.5.01.5.11.5.2

Apache TomEE 1.0.x

First release:
2012-04-27
CVEs:
130
Support Lifecycle:
Namespace:
javax
1.0.0
Feel Vulnerable? 

Contact us so we can help you.

* These fields are required.