CVE-2014-0096XML External Entity (XXE) Injection in Apache Tomcat

CWE-264CWE-611XML External Entity (XXE) InjectionCWE-20Improper Input Validation11 documents8 sources
Severity
4.3MEDIUMNVD
EPSS
5.8%
top 9.48%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache Tomcat
Timeline
PublishedMay 31
Latest updateMay 14

Description

java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

CVSS vector

AV:N/AC:M/C:P/I:N/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages1 packages

NVDapache/tomcat6.0.39+90

🔴Vulnerability Details

5
OSV
Improper Input Validation in Apache Tomcat2022-05-14
GHSA
Improper Input Validation in Apache Tomcat2022-05-14
OSV
tomcat6, tomcat7 vulnerabilities2014-07-30
CVEList
CVE-2014-0096: java/org/apache/catalina/servlets/DefaultServlet2014-05-31
OSV
CVE-2014-0096: java/org/apache/catalina/servlets/DefaultServlet2014-05-31

📋Vendor Advisories

3
Ubuntu
Tomcat vulnerabilities2014-07-30
Red Hat
Tomcat/JBossWeb: XXE vulnerability via user supplied XSLTs2014-05-27
Apache
Apache tomcat: CVE-2014-0096

💬Community

2
Bugzilla
CVE-2014-0096 Apache Tomcat: XXE vulnerability via user supplied XSLTs [fedora-all]2014-05-28
Bugzilla
CVE-2014-0096 Tomcat/JBossWeb: XXE vulnerability via user supplied XSLTs2014-04-16
CVE-2014-0096 — XML External Entity (XXE) Injection | cvebase