FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2014-0096

This CVE name corresponds to:

Entered Topic
2014-07-23 tomcat -- multiple vulnerabilities

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

Details

Type Candidate
Name CVE-2014-0096
Phase Assigned(20131203)

Description

java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

References

Source Reference
BUGTRAQ 20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities
FULLDISC 20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities
CONFIRM http://svn.apache.org/viewvc?view=revision&revision=1578610
CONFIRM http://svn.apache.org/viewvc?view=revision&revision=1578611
CONFIRM http://svn.apache.org/viewvc?view=revision&revision=1578637
CONFIRM http://svn.apache.org/viewvc?view=revision&revision=1578655
CONFIRM http://svn.apache.org/viewvc?view=revision&revision=1585853
CONFIRM http://tomcat.apache.org/security-6.html
CONFIRM http://tomcat.apache.org/security-7.html
CONFIRM http://tomcat.apache.org/security-8.html
CONFIRM http://www.novell.com/support/kb/doc.php?id=7010166
CONFIRM http://www-01.ibm.com/support/docview.wss?uid=swg21678231
CONFIRM http://linux.oracle.com/errata/ELSA-2014-0865.html
CONFIRM http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
CONFIRM http://www-01.ibm.com/support/docview.wss?uid=swg21681528
CONFIRM http://www.vmware.com/security/advisories/VMSA-2014-0012.html
CONFIRM http://advisories.mageia.org/MGASA-2014-0268.html
DEBIAN DSA-3530
DEBIAN DSA-3552
FEDORA FEDORA-2015-2109
MANDRIVA MDVSA-2015:052
MANDRIVA MDVSA-2015:053
MANDRIVA MDVSA-2015:084
REDHAT RHSA-2015:0675
REDHAT RHSA-2015:0720
REDHAT RHSA-2015:0765
BID 67667
SECUNIA 59616
SECUNIA 59678
SECUNIA 59835
SECUNIA 59873
SECUNIA 59732
SECUNIA 59849
SECUNIA 60729