CVE-2014-0119

Priority
Description
Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does
not properly constrain the class loader that accesses the XML parser used
with an XSLT stylesheet, which allows remote attackers to (1) read
arbitrary files via a crafted web application that provides an XML external
entity declaration in conjunction with an entity reference, related to an
XML External Entity (XXE) issue, or (2) read files associated with
different web applications on a single Tomcat instance via a crafted web
application.
Assigned-to
mdeslaur
Notes
mdeslaurpatch is intrusive
Package
Upstream:released (6.0.41-1)
Ubuntu 12.04 ESM (Precise Pangolin):needed
Ubuntu 14.04 ESM (Trusty Tahr):released ([6.0.39-1ubuntu0.1])
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (6.0.41-1)
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 19.04 (Disco Dingo):DNE
Ubuntu 19.10 (Eoan):DNE
Patches:
Upstream:http://svn.apache.org/viewvc?view=revision&revision=1589640
Upstream:http://svn.apache.org/viewvc?view=revision&revision=1593815
Upstream:http://svn.apache.org/viewvc?view=revision&revision=1593821
Package
Upstream:released (8.0.5-1)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (8.0.9-1)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (8.0.9-1)
Ubuntu 19.04 (Disco Dingo):DNE
Ubuntu 19.10 (Eoan):DNE
More Information

Updated: 2019-10-18 02:17:04 UTC (commit cccfc4426d8c1fbf582a89d981fe7fc812124543)