Vulnerability DatabaseCVE-2014-0119
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2014-0119
May 31, 2014
Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to (1) read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or (2) read files associated with different web applications on a single Tomcat instance via a crafted web application.
Affected Packages
org.apache.tomcat:tomcat-catalina (JAVA):
Affected version(s) >=7.0.0 <7.0.54
Fix Suggestion:
Update to version 7.0.54
org.apache.tomcat:tomcat-jasper (JAVA):
Affected version(s) >=7.0.0 <7.0.54
Fix Suggestion:
Update to version 7.0.54
Related ResourcesĀ (79)
http://www.debian.org/security/2016/dsa-3530
https://github.com/apache/tomcat/commit/50311bed8d87e452ff0e69838ba312c4fe899b2d
http://rhn.redhat.com/errata/RHSA-2015-0675.html
http://tomcat.apache.org/security-7.html
http://www.securityfocus.com/archive/1/534161/100/0/threaded
https://github.com/apache/tomcat80/commit/7d33457de5fc5a652a88fb9bbc9ba4cbbda58f04
https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E
http://tomcat.apache.org/security-6.html
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
http://www.debian.org/security/2016/dsa-3552
http://rhn.redhat.com/errata/RHSA-2015-0720.html
http://svn.apache.org/viewvc?view=revision&revision=1589997
http://svn.apache.org/viewvc?view=revision&revision=1589990
http://tomcat.apache.org/security-8.html
http://seclists.org/fulldisclosure/2014/May/141
http://www.mandriva.com/security/advisories?name=MDVSA-2015:084
https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
https://nvd.nist.gov/vuln/detail/CVE-2014-0119
https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E
http://secunia.com/advisories/60729
http://svn.apache.org/viewvc?view=revision&revision=1589985
http://www.mandriva.com/security/advisories?name=MDVSA-2015:053
https://github.com/apache/tomcat80/commit/25251de791a6a7be13f2f3d3a66119a77025272d
https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E
https://github.com/apache/tomcat/commit/5517c5517e8a7ddb994504f0c5c05001a376b10c
https://github.com/apache/tomcat/commit/ce70ee6b8fe437a498a375215011056702b0c481
http://advisories.mageia.org/MGASA-2014-0268.html
http://svn.apache.org/viewvc?view=revision&revision=1589980
http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
http://svn.apache.org/viewvc?view=revision&revision=1590036
http://svn.apache.org/viewvc?view=revision&revision=1590028
https://github.com/apache/tomcat/commit/ad3b34a290a0255d2a4c356a3611ab41ed9d04f5
http://www.securityfocus.com/bid/67669
http://seclists.org/fulldisclosure/2014/Dec/23
https://github.com/apache/tomcat/commit/6246d8307fb5f2b4ff0b0f4d6d1b0250dff01a81
https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E
http://www-01.ibm.com/support/docview.wss?uid=swg21681528
https://github.com/apache/tomcat80/commit/69a8a72283c3395ece8b899cf8562e126de97a27
http://svn.apache.org/viewvc?view=revision&revision=1588193
http://svn.apache.org/viewvc?view=revision&revision=1593821
https://github.com/apache/tomcat/commit/5aae1323c31d643afa9f2db80713b8e97b5123af
https://github.com/apache/tomcat80/commit/77e014cef5d5af619bcf77eaebf22c284d420802
https://github.com/apache/tomcat
http://marc.info/?l=bugtraq&m=144498216801440&w=2
http://www.ubuntu.com/usn/USN-2654-1
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
https://github.com/apache/tomcat/commit/ebe5c16f18ce1559e8462a94b3876a98525980d2
http://www.mandriva.com/security/advisories?name=MDVSA-2015:052
http://www-01.ibm.com/support/docview.wss?uid=swg21678231
https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E
http://www.securitytracker.com/id/1030298
https://github.com/apache/tomcat80/commit/4d90e355dc5ced4c53585c2b4700f71a52d8f447
https://github.com/apache/tomcat/commit/080878ea519d8c74c53721a9ebf7be6fcf6f1f2f
https://github.com/apache/tomcat/commit/f8b316acbbf9fabf87cc137e9777e912eda0d834
https://access.redhat.com/security/cve/CVE-2014-0119
http://svn.apache.org/viewvc?view=revision&revision=1593815
http://svn.apache.org/viewvc?view=revision&revision=1588199
http://secunia.com/advisories/59732
http://svn.apache.org/viewvc?view=revision&revision=1589992
http://secunia.com/advisories/59873
https://github.com/apache/tomcat/commit/934f884f330dad192d2c5dc950e28f4cd281461b
https://github.com/apache/tomcat/commit/769477b9bc8442db3f571385fa0c3e206242cbf1
https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E
http://rhn.redhat.com/errata/RHSA-2015-0765.html
https://github.com/apache/tomcat80/commit/d59fd4398c8ae6361e0b13c491f66b51e49a7441
http://svn.apache.org/viewvc?view=revision&revision=1589837
http://svn.apache.org/viewvc?view=revision&revision=1589983
https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E
http://svn.apache.org/viewvc?view=revision&revision=1589640
https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E
http://www.vmware.com/security/advisories/VMSA-2014-0012.html
https://github.com/apache/tomcat80/commit/51e59532ad4c604f55575963dc7a7f0250cb420f
http://marc.info/?l=bugtraq&m=141017844705317&w=2
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04851013
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E
Do you need more information?
Contact Us
CVSS v4
Base Score:
6.3
Attack Vector
NETWORK
Attack Complexity
HIGH
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
NONE
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
3.7
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
NONE
Availability
NONE
CVSS v2
Base Score:
4.3
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
Weakness Type (CWE)
Missing XML Validation
CWE-112
EPSS
Base Score:
4.35