Home > Vulnerability Database > CVE-2014-0119

Mend.io Vulnerability Database

CVE-2014-0119

Good to know:

Date: May 31, 2014

Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to (1) read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or (2) read files associated with different web applications on a single Tomcat instance via a crafted web application.

Language: Java

Severity Score

3.7

Related Resources (56)

Url: http://secunia.com/advisories/59873

Url: http://seclists.org/fulldisclosure/2014/Dec/23

Url: http://tomcat.apache.org/security-8.html

Url: http://www.securityfocus.com/bid/67669

Url: http://svn.apache.org/viewvc?view=revision&revision=1590036

Url: http://svn.apache.org/viewvc?view=revision&revision=1593821

Url: http://tomcat.apache.org/security-7.html

Url: http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

Url: http://svn.apache.org/viewvc?view=revision&revision=1589983

Url: http://svn.apache.org/viewvc?view=revision&revision=1589980

Url: http://www.vmware.com/security/advisories/VMSA-2014-0012.html

Url: https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E

Url: http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html

Url: http://www.debian.org/security/2016/dsa-3530

Url: http://svn.apache.org/viewvc?view=revision&revision=1589985

Url: http://www.mandriva.com/security/advisories?name=MDVSA-2015:084

Url: http://marc.info/?l=bugtraq&m=144498216801440&w=2

Url: https://nvd.nist.gov/vuln/detail/CVE-2014-0119

Url: http://rhn.redhat.com/errata/RHSA-2015-0765.html

Url: http://www.ubuntu.com/usn/USN-2654-1

Url: http://www-01.ibm.com/support/docview.wss?uid=swg21678231

Url: http://secunia.com/advisories/59732

Url: http://www.mandriva.com/security/advisories?name=MDVSA-2015:053

Url: http://seclists.org/fulldisclosure/2014/May/141

Url: http://svn.apache.org/viewvc?view=revision&revision=1589990

Url: https://access.redhat.com/security/cve/CVE-2014-0119

Url: http://rhn.redhat.com/errata/RHSA-2015-0675.html

Url: http://svn.apache.org/viewvc?view=revision&revision=1589992

Url: http://svn.apache.org/viewvc?view=revision&revision=1589997

Url: http://secunia.com/advisories/60729

Url: http://svn.apache.org/viewvc?view=revision&revision=1589837

Url: http://www.securityfocus.com/archive/1/534161/100/0/threaded

Url: http://www.mandriva.com/security/advisories?name=MDVSA-2015:052

Url: http://www.securitytracker.com/id/1030298

Url: https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04851013

Url: https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E

Url: http://www-01.ibm.com/support/docview.wss?uid=swg21681528

Url: http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html

Url: https://people.canonical.com/~ubuntu-security/cve/CVE-2014-0119

Url: https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E

Url: https://security-tracker.debian.org/tracker/CVE-2014-0119

Url: http://svn.apache.org/viewvc?view=revision&revision=1588199

Url: http://svn.apache.org/viewvc?view=revision&revision=1589640

Url: https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E

Url: http://advisories.mageia.org/MGASA-2014-0268.html

Url: https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E

Url: http://www.debian.org/security/2016/dsa-3552

Url: https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E

Url: https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E

Url: http://tomcat.apache.org/security-6.html

Url: http://svn.apache.org/viewvc?view=revision&revision=1593815

Url: http://rhn.redhat.com/errata/RHSA-2015-0720.html

Url: http://marc.info/?l=bugtraq&m=141017844705317&w=2

Url: http://svn.apache.org/viewvc?view=revision&revision=1588193

Url: http://svn.apache.org/viewvc?view=revision&revision=1590028

Url: https://www.mend.io/vulnerability-database/CVE-2014-0119

Severity Score

3.7

Weakness Type (CWE)

Permissions, Privileges, and Access Control

CWE-264

Top Fix

Upgrade Version

Upgrade to version org.apache.tomcat:jasper:6.0.41,org.apache.tomcat:catalina:6.0.41,org.apache.tomcat:tomcat-jasper:8.0.8,7.0.54,org.apache.tomcat:tomcat-catalina:8.0.8,7.0.54,org.apache.tomcat:tomcat-util-scan:8.0.8,7.0.54,org.apache.tomcat.embed:tomcat-embed-core:8.0.8,7.0.54

Learn More

CVSS v3.1

Base Score:	3.7
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	LOW
Integrity (I):	NONE
Availability (A):	NONE

CVSS v2

Base Score:	4.3
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	NONE
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2014-0119

Good to know:

Date: May 31, 2014

Language: Java

Severity Score

Related Resources (56)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?