CVE-2015-0254
published 2015-03-09CVE-2015-0254: Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT…
PriorityP354high7.5CVSS 2.0
AVNACLAuNCPIPAP
EPSS
13.26%
95.9th percentile
Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) or (2) JSTL XML tag.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apache | standard_taglibs | <= 1.2.1 | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_redhat7.5HIGH
vendor_oracle7.3HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
XXE in Apache Standard Taglibs
ghsa·2020-09-14
CVE-2015-0254 [HIGH] CWE-611 XXE in Apache Standard Taglibs
XXE in Apache Standard Taglibs
Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) or (2) JSTL XML tag.
OSV
XXE in Apache Standard Taglibs
osv·2020-09-14
CVE-2015-0254 [HIGH] XXE in Apache Standard Taglibs
XXE in Apache Standard Taglibs
Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) or (2) JSTL XML tag.
OSV
CVE-2015-0254: Apache Standard Taglibs before 1
osv·2015-03-09·CVSS 7.5
CVE-2015-0254 [HIGH] CVE-2015-0254: Apache Standard Taglibs before 1
Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) or (2) JSTL XML tag.
Oracle
Oracle Oracle Fusion Middleware Risk Matrix: Third Party Tools (Apache Standard Taglibs) — CVE-2015-0254
vendor_oracle·2021-07-15·CVSS 7.3
CVE-2015-0254 [HIGH] Oracle Oracle Fusion Middleware Risk Matrix: Third Party Tools (Apache Standard Taglibs) — CVE-2015-0254
Oracle Oracle Fusion Middleware Risk Matrix: Third Party Tools (Apache Standard Taglibs) vulnerability
CVE: CVE-2015-0254
CVSS: 7.3
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujul2021 (JUL 2021)
Oracle
Oracle Oracle Knowledge Risk Matrix: Information Manager Console (Apache Standard Taglibs) — CVE-2015-0254
vendor_oracle·2020-04-15·CVSS 7.3
CVE-2015-0254 [HIGH] Oracle Oracle Knowledge Risk Matrix: Information Manager Console (Apache Standard Taglibs) — CVE-2015-0254
Oracle Oracle Knowledge Risk Matrix: Information Manager Console (Apache Standard Taglibs) vulnerability
CVE: CVE-2015-0254
CVSS: 7.3
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpuapr2020 (APR 2020)
Ubuntu
Apache Standard Taglibs vulnerability
vendor_ubuntu·2015-03-30
CVE-2015-0254 Apache Standard Taglibs vulnerability
Title: Apache Standard Taglibs vulnerability
Summary: Apache Standard Taglibs loaded external XML entities.
David Jorm discovered that the Apache Standard Taglibs incorrectly handled
external XML entities. A remote attacker could possibly use this issue to
execute arbitrary code or perform other external XML entity attacks.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
jakarta-taglibs-standard: XXE and RCE via XSL extension in JSTL XML tags
vendor_redhat·2015-02-27·CVSS 7.5
CVE-2015-0254 [HIGH] jakarta-taglibs-standard: XXE and RCE via XSL extension in JSTL XML tags
jakarta-taglibs-standard: XXE and RCE via XSL extension in JSTL XML tags
Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) or (2) JSTL XML tag.
It was found that the Java Standard Tag Library (JSTL) allowed the processing of untrusted XML documents to utilize external entity references, which could access resources on the host system and, potentially, allowing arbitrary code execution.
Statement: Users of EAP 6.x and 7.0 should upgrade to at least 6.4.9 and pass the following system property on startup to prevent XXE attacks in JSTL:
org.apache.taglibs.standard.xml.accessExternalEntity=false
For more details please see refer to this KCS solution:
https://access.redhat.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2015-0254 jakarta-taglibs-standard: XXE and RCE via XSL extension in JSTL XML tags
bugzilla·2015-03-04·CVSS 7.5
CVE-2015-0254 [HIGH] CVE-2015-0254 jakarta-taglibs-standard: XXE and RCE via XSL extension in JSTL XML tags
CVE-2015-0254 jakarta-taglibs-standard: XXE and RCE via XSL extension in JSTL XML tags
The following flaw was found in Apache Standard Taglibs:
When an application uses or tags to process untrusted XML documents, a request may utilize external entity references to access resources on the host system or utilize XSLT extensions that may allow remote execution.
Upstream announcement:
https://mail-archives.apache.org/mod_mbox/www-announce/201502.mbox/%3C82207A16-6348-4DEE-877E-F7B87292576A%40apache.org%3E
Discussion:
Created jakarta-taglibs-standard tracking bugs for this issue:
Affects: fedora-all [bug 1198607]
---
Advise from upstream annoucement by David Jorm:
Mitigation:
Users should upgrade to Apache Standard Taglibs 1.2.3 or later.
This version uses JAXP’s FEATURE_SECURE_PROC
Bugzilla
CVE-2015-0254 jakarta-taglibs-standard: XXE and RCE via XSL extension in JSTL XML tags [fedora-all]
bugzilla·2015-03-04·CVSS 7.5
CVE-2015-0254 [HIGH] CVE-2015-0254 jakarta-taglibs-standard: XXE and RCE via XSL extension in JSTL XML tags [fedora-all]
CVE-2015-0254 jakarta-taglibs-standard: XXE and RCE via XSL extension in JSTL XML tags [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple
http://lists.opensuse.org/opensuse-updates/2015-10/msg00033.htmlhttp://mail-archives.apache.org/mod_mbox/tomcat-taglibs-user/201502.mbox/%3C82207A16-6348-4DEE-877E-F7B87292576A%40apache.org%3Ehttp://packetstormsecurity.com/files/130575/Apache-Standard-Taglibs-1.2.1-XXE-Remote-Command-Execution.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1695.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1838.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1839.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1840.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1841.htmlhttp://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.htmlhttp://www.securityfocus.com/archive/1/534772/100/0/threadedhttp://www.securityfocus.com/bid/72809http://www.securitytracker.com/id/1034934http://www.ubuntu.com/usn/USN-2551-1https://access.redhat.com/errata/RHSA-2016:1376https://lists.apache.org/thread.html/8a20e48acb2a40be5130df91cf9d39d8ad93181989413d4abcaa4914%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/f8e0814e11c7f21f42224b6de111cb3f5e5ab5c15b78924c516d4ec2%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r6c93d8ade3788dbc00f5a37238bc278e7d859f2446b885460783a16f%40%3Cpluto-dev.portals.apache.org%3Ehttps://lists.apache.org/thread.html/rc1686f6196bb9063bf26577a21b8033c19c1a30e5a9159869c8f3d38%40%3Cpluto-dev.portals.apache.org%3Ehttps://lists.apache.org/thread.html/re3b72cbb13e1dfe85c4a06959a3b6ca6d939b407ecca80db12b54220%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/rf1179e6971bc46f0f68879a9a10cc97ad4424451b0889aeef04c8077%40%3Cpluto-scm.portals.apache.org%3Ehttps://lists.apache.org/thread.html/rfc2bfd99c340dafd501676693cd889c1f9f838b97bdd0776a8f5557d%40%3Cdev.tomcat.apache.org%3Ehttps://www.oracle.com//security-alerts/cpujul2021.htmlhttps://www.oracle.com/security-alerts/cpuapr2020.htmlhttp://lists.opensuse.org/opensuse-updates/2015-10/msg00033.htmlhttp://mail-archives.apache.org/mod_mbox/tomcat-taglibs-user/201502.mbox/%3C82207A16-6348-4DEE-877E-F7B87292576A%40apache.org%3Ehttp://packetstormsecurity.com/files/130575/Apache-Standard-Taglibs-1.2.1-XXE-Remote-Command-Execution.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1695.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1838.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1839.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1840.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1841.htmlhttp://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.htmlhttp://www.securityfocus.com/archive/1/534772/100/0/threadedhttp://www.securityfocus.com/bid/72809http://www.securitytracker.com/id/1034934http://www.ubuntu.com/usn/USN-2551-1https://access.redhat.com/errata/RHSA-2016:1376https://lists.apache.org/thread.html/8a20e48acb2a40be5130df91cf9d39d8ad93181989413d4abcaa4914%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/f8e0814e11c7f21f42224b6de111cb3f5e5ab5c15b78924c516d4ec2%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r6c93d8ade3788dbc00f5a37238bc278e7d859f2446b885460783a16f%40%3Cpluto-dev.portals.apache.org%3Ehttps://lists.apache.org/thread.html/rc1686f6196bb9063bf26577a21b8033c19c1a30e5a9159869c8f3d38%40%3Cpluto-dev.portals.apache.org%3Ehttps://lists.apache.org/thread.html/re3b72cbb13e1dfe85c4a06959a3b6ca6d939b407ecca80db12b54220%40%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/rf1179e6971bc46f0f68879a9a10cc97ad4424451b0889aeef04c8077%40%3Cpluto-scm.portals.apache.org%3Ehttps://lists.apache.org/thread.html/rfc2bfd99c340dafd501676693cd889c1f9f838b97bdd0776a8f5557d%40%3Cdev.tomcat.apache.org%3Ehttps://www.oracle.com//security-alerts/cpujul2021.htmlhttps://www.oracle.com/security-alerts/cpuapr2020.html
2015-03-09
Published