CVE-2014-0119Missing XML Validation in Apache Tomcat

CWE-264CWE-112Missing XML ValidationCWE-470Unsafe Reflection10 documents8 sources
Severity
4.3MEDIUMNVD
EPSS
4.4%
top 11.04%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Apache Tomcat
Timeline
PublishedMay 31
Latest updateMay 14

Description

Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to (1) read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or (2) read files associated with different web applications on a single Tomcat instance via a crafted

CVSS vector

AV:N/AC:M/C:P/I:N/A:NExploitability: 8.6 | Impact: 2.9

Affected Packages1 packages

NVDapache/tomcat6.0.39+92

🔴Vulnerability Details

5
OSV
Missing XML Validation in Apache Tomcat2022-05-14
GHSA
Missing XML Validation in Apache Tomcat2022-05-14
OSV
tomcat7 vulnerabilities2015-06-25
OSV
CVE-2014-0119: Apache Tomcat before 62014-05-31
CVEList
CVE-2014-0119: Apache Tomcat before 62014-05-31

📋Vendor Advisories

3
Ubuntu
Tomcat vulnerabilities2015-06-25
Red Hat
Tomcat/JBossWeb: XML parser hijack by malicious web application2014-05-27
Apache
Apache tomcat: CVE-2014-0119

💬Community

1
Bugzilla
CVE-2014-0119 Tomcat/JBossWeb: XML parser hijack by malicious web application2014-05-28
CVE-2014-0119 — Missing XML Validation in Apache Tomcat | cvebase