CVE-2014-0096
Published: 31 May 2014
java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
From the Ubuntu Security Team
It was discovered that Tomcat did not properly restrict XSLT stylesheets. An attacker could use this issue with a crafted web application to bypass security-manager restrictions and read arbitrary files.
Priority
Status
Package | Release | Status |
---|---|---|
tomcat6 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
lucid |
Released
(6.0.24-2ubuntu1.16)
|
|
precise |
Released
(6.0.35-1ubuntu3.5)
|
|
saucy |
Ignored
(end of life)
|
|
trusty |
Released
(6.0.39-1ubuntu0.1)
|
|
upstream |
Released
(6.0.41-1)
|
|
utopic |
Not vulnerable
(6.0.41-1)
|
|
vivid |
Not vulnerable
(6.0.41-1)
|
|
wily |
Not vulnerable
(6.0.41-1)
|
|
xenial |
Not vulnerable
(6.0.41-1)
|
|
yakkety |
Does not exist
|
|
zesty |
Does not exist
|
|
Patches: upstream: http://svn.apache.org/viewvc?view=revision&revision=1585853 |
||
tomcat7 Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(7.0.53-1)
|
bionic |
Not vulnerable
(7.0.53-1)
|
|
lucid |
Does not exist
|
|
precise |
Ignored
(end of life)
|
|
saucy |
Ignored
(end of life)
|
|
trusty |
Released
(7.0.52-1ubuntu0.1)
|
|
upstream |
Released
(7.0.53-1)
|
|
utopic |
Not vulnerable
(7.0.53-1)
|
|
vivid |
Not vulnerable
(7.0.53-1)
|
|
wily |
Not vulnerable
(7.0.53-1)
|
|
xenial |
Not vulnerable
(7.0.53-1)
|
|
yakkety |
Not vulnerable
(7.0.53-1)
|
|
zesty |
Not vulnerable
(7.0.53-1)
|
|
Patches: upstream: http://svn.apache.org/viewvc?view=revision&revision=1578637 upstream: http://svn.apache.org/viewvc?view=revision&revision=1578655 |
||
tomcat8 Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(8.0.9-1)
|
bionic |
Not vulnerable
(8.0.9-1)
|
|
lucid |
Does not exist
|
|
precise |
Does not exist
|
|
saucy |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(8.0.5-1)
|
|
utopic |
Not vulnerable
(8.0.9-1)
|
|
vivid |
Not vulnerable
(8.0.9-1)
|
|
wily |
Not vulnerable
(8.0.9-1)
|
|
xenial |
Not vulnerable
(8.0.9-1)
|
|
yakkety |
Not vulnerable
(8.0.9-1)
|
|
zesty |
Not vulnerable
(8.0.9-1)
|