CVE-2014-0119

Published: May 31, 2014Modified: May 6, 2026

4.3

Vector

AV:N/AC:M/Au:N/C:P/I:N/A:N

Exploitability: 8.6 / Impact: 2.9

Source: NVD

Description

Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to (1) read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or (2) read files associated with different web applications on a single Tomcat instance via a crafted web application.

Affected (109)

Products: Apache: Tomcat

Apache

1 product

Tomcat

Configuration A

7 vulnerable

Vulnerable Software	Affected Versions
Apache Tomcat	Version 8.0.0 rc10
Apache Tomcat	Version 8.0.0 rc1
Apache Tomcat	Version 8.0.0 rc2
Apache Tomcat	Version 8.0.0 rc5
Apache Tomcat	Version 8.0.1
Apache Tomcat	Version 8.0.3
Apache Tomcat	Version 8.0.5

Configuration B

46 vulnerable

Vulnerable Software	Affected Versions
Apache Tomcat	Up to 6.0.39
Apache Tomcat	Version 6.0.0
Apache Tomcat	Version 6.0.0 alpha
Apache Tomcat	Version 6.0.10
Apache Tomcat	Version 6.0.11
Apache Tomcat	Version 6.0.12
Apache Tomcat	Version 6.0.13
Apache Tomcat	Version 6.0.14
Apache Tomcat	Version 6.0.15
Apache Tomcat	Version 6.0.16
Apache Tomcat	Version 6.0.17
Apache Tomcat	Version 6.0.18
Apache Tomcat	Version 6.0.19
Apache Tomcat	Version 6.0.1
Apache Tomcat	Version 6.0.1 alpha
Apache Tomcat	Version 6.0.20
Apache Tomcat	Version 6.0.24
Apache Tomcat	Version 6.0.26
Apache Tomcat	Version 6.0.27
Apache Tomcat	Version 6.0.28
Apache Tomcat	Version 6.0.29
Apache Tomcat	Version 6.0.2
Apache Tomcat	Version 6.0.2 alpha
Apache Tomcat	Version 6.0.2 beta
Apache Tomcat	Version 6.0.30
Apache Tomcat	Version 6.0.31
Apache Tomcat	Version 6.0.32
Apache Tomcat	Version 6.0.33
Apache Tomcat	Version 6.0.35
Apache Tomcat	Version 6.0.36
Apache Tomcat	Version 6.0.37
Apache Tomcat	Version 6.0.3
Apache Tomcat	Version 6.0.4
Apache Tomcat	Version 6.0.4 alpha
Apache Tomcat	Version 6.0.5
Apache Tomcat	Version 6.0.6
Apache Tomcat	Version 6.0.6 alpha
Apache Tomcat	Version 6.0.7
Apache Tomcat	Version 6.0.7 alpha
Apache Tomcat	Version 6.0.7 beta
Apache Tomcat	Version 6.0.8
Apache Tomcat	Version 6.0.8 alpha
Apache Tomcat	Version 6.0.9
Apache Tomcat	Version 6.0.9 beta
Apache Tomcat	Version 6.0
Apache Tomcat	Version 6

Configuration C

56 vulnerable

Vulnerable Software	Affected Versions
Apache Tomcat	Version 7.0.0
Apache Tomcat	Version 7.0.0 beta
Apache Tomcat	Version 7.0.10
Apache Tomcat	Version 7.0.11
Apache Tomcat	Version 7.0.12
Apache Tomcat	Version 7.0.13
Apache Tomcat	Version 7.0.14
Apache Tomcat	Version 7.0.15
Apache Tomcat	Version 7.0.16
Apache Tomcat	Version 7.0.17
Apache Tomcat	Version 7.0.18
Apache Tomcat	Version 7.0.19
Apache Tomcat	Version 7.0.1
Apache Tomcat	Version 7.0.20
Apache Tomcat	Version 7.0.21
Apache Tomcat	Version 7.0.22
Apache Tomcat	Version 7.0.23
Apache Tomcat	Version 7.0.24
Apache Tomcat	Version 7.0.25
Apache Tomcat	Version 7.0.26
Apache Tomcat	Version 7.0.27
Apache Tomcat	Version 7.0.28
Apache Tomcat	Version 7.0.29
Apache Tomcat	Version 7.0.2
Apache Tomcat	Version 7.0.2 beta
Apache Tomcat	Version 7.0.30
Apache Tomcat	Version 7.0.31
Apache Tomcat	Version 7.0.32
Apache Tomcat	Version 7.0.33
Apache Tomcat	Version 7.0.34
Apache Tomcat	Version 7.0.35
Apache Tomcat	Version 7.0.36
Apache Tomcat	Version 7.0.37
Apache Tomcat	Version 7.0.38
Apache Tomcat	Version 7.0.39
Apache Tomcat	Version 7.0.3
Apache Tomcat	Version 7.0.40
Apache Tomcat	Version 7.0.41
Apache Tomcat	Version 7.0.42
Apache Tomcat	Version 7.0.43
Apache Tomcat	Version 7.0.44
Apache Tomcat	Version 7.0.45
Apache Tomcat	Version 7.0.46
Apache Tomcat	Version 7.0.47
Apache Tomcat	Version 7.0.48
Apache Tomcat	Version 7.0.49
Apache Tomcat	Version 7.0.4
Apache Tomcat	Version 7.0.4 beta
Apache Tomcat	Version 7.0.50
Apache Tomcat	Version 7.0.52
Apache Tomcat	Version 7.0.53
Apache Tomcat	Version 7.0.5
Apache Tomcat	Version 7.0.6
Apache Tomcat	Version 7.0.7
Apache Tomcat	Version 7.0.8
Apache Tomcat	Version 7.0.9

Related CWEs

CWE-264

References (102)

http://advisories.mageia.org/MGASA-2014-0268.html

Source: secalert@redhat.com

http://marc.info/?l=bugtraq&m=141017844705317&w=2

Source: secalert@redhat.com

http://marc.info/?l=bugtraq&m=144498216801440&w=2

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2015-0675.html

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2015-0720.html

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2015-0765.html

Source: secalert@redhat.com

http://seclists.org/fulldisclosure/2014/Dec/23

Source: secalert@redhat.com

http://seclists.org/fulldisclosure/2014/May/141

Source: secalert@redhat.com

http://secunia.com/advisories/59732

Source: secalert@redhat.com

http://secunia.com/advisories/59873

Source: secalert@redhat.com

http://secunia.com/advisories/60729

Source: secalert@redhat.com

http://svn.apache.org/viewvc?view=revision&revision=1588193

Source: secalert@redhat.com

http://svn.apache.org/viewvc?view=revision&revision=1588199

Source: secalert@redhat.com

http://svn.apache.org/viewvc?view=revision&revision=1589640

Source: secalert@redhat.com

http://svn.apache.org/viewvc?view=revision&revision=1589837

Source: secalert@redhat.com

http://svn.apache.org/viewvc?view=revision&revision=1589980

Source: secalert@redhat.com

http://svn.apache.org/viewvc?view=revision&revision=1589983

Source: secalert@redhat.com

http://svn.apache.org/viewvc?view=revision&revision=1589985

Source: secalert@redhat.com

http://svn.apache.org/viewvc?view=revision&revision=1589990

Source: secalert@redhat.com

http://svn.apache.org/viewvc?view=revision&revision=1589992

Source: secalert@redhat.com

http://svn.apache.org/viewvc?view=revision&revision=1589997

Source: secalert@redhat.com

http://svn.apache.org/viewvc?view=revision&revision=1590028

Source: secalert@redhat.com

http://svn.apache.org/viewvc?view=revision&revision=1590036

Source: secalert@redhat.com

http://svn.apache.org/viewvc?view=revision&revision=1593815

Source: secalert@redhat.com

http://svn.apache.org/viewvc?view=revision&revision=1593821

Source: secalert@redhat.com

http://tomcat.apache.org/security-6.html

Source: secalert@redhat.com

Vendor Advisory

http://tomcat.apache.org/security-7.html

Source: secalert@redhat.com

Vendor Advisory

http://tomcat.apache.org/security-8.html

Source: secalert@redhat.com

Vendor Advisory

http://www-01.ibm.com/support/docview.wss?uid=swg21678231

Source: secalert@redhat.com

http://www-01.ibm.com/support/docview.wss?uid=swg21681528

Source: secalert@redhat.com

http://www.debian.org/security/2016/dsa-3530

Source: secalert@redhat.com

http://www.debian.org/security/2016/dsa-3552

Source: secalert@redhat.com

http://www.mandriva.com/security/advisories?name=MDVSA-2015:052

Source: secalert@redhat.com

http://www.mandriva.com/security/advisories?name=MDVSA-2015:053

Source: secalert@redhat.com

http://www.mandriva.com/security/advisories?name=MDVSA-2015:084

Source: secalert@redhat.com

http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

Source: secalert@redhat.com

http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html

Source: secalert@redhat.com

http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html

Source: secalert@redhat.com

http://www.securityfocus.com/archive/1/534161/100/0/threaded

Source: secalert@redhat.com

http://www.securityfocus.com/bid/67669

Source: secalert@redhat.com

http://www.securitytracker.com/id/1030298

Source: secalert@redhat.com

http://www.ubuntu.com/usn/USN-2654-1

Source: secalert@redhat.com

http://www.vmware.com/security/advisories/VMSA-2014-0012.html

Source: secalert@redhat.com

https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04851013

Source: secalert@redhat.com

https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E

Source: secalert@redhat.com

https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E

Source: secalert@redhat.com

http://advisories.mageia.org/MGASA-2014-0268.html