cbcvebase.
CVE-2014-0107
published 2014-04-15

CVE-2014-0107: The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled…

PriorityP354high7.5CVSS 2.0
AVNACLAuNCPIPAP
EPSS
13.70%
96.0th percentile
The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.

Affected

16 ranges
VendorProductVersion rangeFixed in
apachexalan-java<= 2.7.1
apachexalan-java
apachexalan-java
apachexalan-java
apachexalan-java
apachexalan-java
apachexalan-java
apachexalan-java
apachexalan-java
apachexalan-java
apachexalan-java
apachexalan-java
apachexalan-java
debianlibxalan2-java< libxalan2-java 2.7.1-9 (bookworm)libxalan2-java 2.7.1-9 (bookworm)
oraclewebcenter_sites
oraclewebcenter_sites

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.