CVE-2014-0107

Priority
Medium
Description
The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly
restrict access to certain properties when FEATURE_SECURE_PROCESSING is
enabled, which allows remote attackers to bypass expected restrictions and
load arbitrary classes or access external resources via a crafted (1)
xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4)
xslt:entities property, or a Java property that is bound to the XSLT 1.0
system-property function.
References
Bugs
Assigned-to
mdeslaur
Package
Upstream:released (2.7.1-9)
Ubuntu 10.04 LTS (Lucid Lynx):released (2.7.1-5ubuntu1.1)
Ubuntu 12.04 LTS (Precise Pangolin):released (2.7.1-7ubuntu0.1)
Ubuntu 13.10 (Saucy Salamander):released (2.7.1-8ubuntu0.1)
Ubuntu 14.04 LTS (Trusty Tahr):not-affected (2.7.1-9)
Ubuntu 14.10 (Utopic Unicorn):not-affected (2.7.1-9)
Patches:
Upstream:http://svn.apache.org/viewvc?view=revision&revision=1581058
Vendor:https://www.debian.org/security/2014/dsa-2886
More Information

Valid XHTML 1.0 Strict

Updated: 2014-05-21 20:14:34 UTC (commit 8082)