Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to (1) read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or (2) read files associated with different web applications on a single Tomcat instance via a crafted web application.
References
Link Providers
http://advisories.mageia.org/MGASA-2014-0268.html cve-icon cve-icon
http://marc.info/?l=bugtraq&m=141017844705317&w=2 cve-icon cve-icon
http://marc.info/?l=bugtraq&m=144498216801440&w=2 cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2015-0675.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2015-0720.html cve-icon cve-icon
http://rhn.redhat.com/errata/RHSA-2015-0765.html cve-icon cve-icon
http://seclists.org/fulldisclosure/2014/Dec/23 cve-icon cve-icon
http://seclists.org/fulldisclosure/2014/May/141 cve-icon cve-icon
http://secunia.com/advisories/59732 cve-icon cve-icon
http://secunia.com/advisories/59873 cve-icon cve-icon
http://secunia.com/advisories/60729 cve-icon cve-icon
http://svn.apache.org/viewvc?view=revision&revision=1588193 cve-icon cve-icon
http://svn.apache.org/viewvc?view=revision&revision=1588199 cve-icon cve-icon
http://svn.apache.org/viewvc?view=revision&revision=1589640 cve-icon cve-icon
http://svn.apache.org/viewvc?view=revision&revision=1589837 cve-icon cve-icon
http://svn.apache.org/viewvc?view=revision&revision=1589980 cve-icon cve-icon
http://svn.apache.org/viewvc?view=revision&revision=1589983 cve-icon cve-icon
http://svn.apache.org/viewvc?view=revision&revision=1589985 cve-icon cve-icon
http://svn.apache.org/viewvc?view=revision&revision=1589990 cve-icon cve-icon
http://svn.apache.org/viewvc?view=revision&revision=1589992 cve-icon cve-icon
http://svn.apache.org/viewvc?view=revision&revision=1589997 cve-icon cve-icon
http://svn.apache.org/viewvc?view=revision&revision=1590028 cve-icon cve-icon
http://svn.apache.org/viewvc?view=revision&revision=1590036 cve-icon cve-icon
http://svn.apache.org/viewvc?view=revision&revision=1593815 cve-icon cve-icon
http://svn.apache.org/viewvc?view=revision&revision=1593821 cve-icon cve-icon
http://tomcat.apache.org/security-6.html cve-icon cve-icon
http://tomcat.apache.org/security-7.html cve-icon cve-icon
http://tomcat.apache.org/security-8.html cve-icon cve-icon
http://www-01.ibm.com/support/docview.wss?uid=swg21678231 cve-icon cve-icon
http://www-01.ibm.com/support/docview.wss?uid=swg21681528 cve-icon cve-icon
http://www.debian.org/security/2016/dsa-3530 cve-icon cve-icon
http://www.debian.org/security/2016/dsa-3552 cve-icon cve-icon
http://www.mandriva.com/security/advisories?name=MDVSA-2015:052 cve-icon cve-icon
http://www.mandriva.com/security/advisories?name=MDVSA-2015:053 cve-icon cve-icon
http://www.mandriva.com/security/advisories?name=MDVSA-2015:084 cve-icon cve-icon
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html cve-icon cve-icon
http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html cve-icon cve-icon
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html cve-icon cve-icon
http://www.securityfocus.com/archive/1/534161/100/0/threaded cve-icon cve-icon
http://www.securityfocus.com/bid/67669 cve-icon cve-icon
http://www.securitytracker.com/id/1030298 cve-icon cve-icon
http://www.ubuntu.com/usn/USN-2654-1 cve-icon cve-icon
http://www.vmware.com/security/advisories/VMSA-2014-0012.html cve-icon cve-icon
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04851013 cve-icon cve-icon
https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2014-0119 cve-icon
https://www.cve.org/CVERecord?id=CVE-2014-0119 cve-icon
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2014-05-31T10:00:00

Updated: 2024-08-06T09:05:39.129Z

Reserved: 2013-12-03T00:00:00

Link: CVE-2014-0119

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2014-05-31T11:17:13.357

Modified: 2024-11-21T02:01:25.113

Link: CVE-2014-0119

cve-icon Redhat

Severity : Low

Publid Date: 2014-05-27T00:00:00Z

Links: CVE-2014-0119 - Bugzilla