CVE-2014-0119

Priority
Description
Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does
not properly constrain the class loader that accesses the XML parser used
with an XSLT stylesheet, which allows remote attackers to (1) read
arbitrary files via a crafted web application that provides an XML external
entity declaration in conjunction with an entity reference, related to an
XML External Entity (XXE) issue, or (2) read files associated with
different web applications on a single Tomcat instance via a crafted web
application.
Notes
 mdeslaur> patch is intrusive
Assigned-to
mdeslaur
Package
Upstream:released (6.0.41-1)
Ubuntu 12.04 ESM (Precise Pangolin):needed
Ubuntu 14.04 ESM (Trusty Tahr):released ([6.0.39-1ubuntu0.1])
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (6.0.41-1)
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 18.10 (Cosmic Cuttlefish):DNE
Ubuntu 19.04 (Disco Dingo):DNE
Ubuntu 19.10 (Eoan):DNE
Patches:
Upstream:http://svn.apache.org/viewvc?view=revision&revision=1589640
Upstream:http://svn.apache.org/viewvc?view=revision&revision=1593815
Upstream:http://svn.apache.org/viewvc?view=revision&revision=1593821
Package
Upstream:released (8.0.5-1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (8.0.9-1)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (8.0.9-1)
Ubuntu 18.10 (Cosmic Cuttlefish):not-affected (8.0.9-1)
Ubuntu 19.04 (Disco Dingo):DNE
Ubuntu 19.10 (Eoan):DNE
More Information

Updated: 2019-05-15 17:14:31 UTC (commit 2d71aefac924bf16479c12958688c37878e881eb)