2014-05-31 13:17:13 2019-04-15 18:29:41

java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Vector

NETWORK

Complexity

MEDIUM

Authentication

NONE

Confidentiality

PARTIAL

Integrity

NONE

Availability

NONE
Apache Tomcat 8.0.3 (not an official CPE) Apache Software Foundation Tomcat 8.0.1 Apache Software Foundation Tomcat 8.0.0 release candidate 5 Apache Software Foundation Tomcat 8.0.0 Release Candidate 2 Apache Software Foundation Tomcat 8.0.0 release candidate 10 Apache Software Foundation Tomcat 8.0.0 Release Candidate 1 Apache Tomcat 7.0.52 (not an official CPE) Apache Software Foundation Tomcat 7.0.50 Apache Software Foundation Tomcat 7.0.49 Apache Software Foundation Tomcat 7.0.48 Apache Software Foundation Tomcat 7.0.47 Apache Software Foundation Tomcat 7.0.46 Apache Software Foundation Tomcat 7.0.45 Apache Software Foundation Tomcat 7.0.44 Apache Software Foundation Tomcat 7.0.43 Apache Software Foundation Tomcat 7.0.42 Apache Software Foundation Tomcat 7.0.41 Apache Software Foundation Tomcat 7.0.40 Apache Software Foundation Tomcat 7.0.39 Apache Software Foundation Tomcat 7.0.38 Apache Software Foundation Tomcat 7.0.37 Apache Software Foundation Tomcat 7.0.36 Apache Software Foundation Tomcat 7.0.35 Apache Software Foundation Tomcat 7.0.34 Apache Software Foundation Tomcat 7.0.33 Apache Software Foundation Tomcat 7.0.32 Apache Software Foundation Tomcat 7.0.31 Apache Software Foundation Tomcat 7.0.30 Apache Software Foundation Tomcat 7.0.29 Apache Software Foundation Tomcat 7.0.28 Apache Software Foundation Tomcat 7.0.27 Apache Software Foundation Tomcat 7.0.26 Apache Software Foundation Tomcat 7.0.25 Apache Software Foundation Tomcat 7.0.24 Apache Software Foundation Tomcat 7.0.23 Apache Software Foundation Tomcat 7.0.22 Apache Software Foundation Tomcat 7.0.21 Apache Software Foundation Tomcat 7.0.20 Apache Software Foundation Tomcat 7.0.19 Apache Software Foundation Tomcat 7.0.18 Apache Software Foundation Tomcat 7.0.17 Apache Software Foundation Tomcat 7.0.16 Apache Software Foundation Tomcat 7.0.15 Apache Software Foundation Tomcat 7.0.14 Apache Software Foundation Tomcat 7.0.13 Apache Software Foundation Tomcat 7.0.12 Apache Software Foundation Tomcat 7.0.11 Apache Software Foundation Tomcat 7.0.10 Apache Software Foundation Tomcat 7.0.9 Apache Software Foundation Tomcat 7.0.8 Apache Software Foundation Tomcat 7.0.7 Apache Software Foundation Tomcat 7.0.6 Apache Software Foundation Tomcat 7.0.5 Apache Software Foundation Tomcat 7.0.4 beta Apache Software Foundation Tomcat 7.0.4 Apache Software Foundation Tomcat 7.0.3 Apache Software Foundation Tomcat 7.0.2 beta Apache Software Foundation Tomcat 7.0.2 Apache Software Foundation Tomcat 7.0.1 Apache Software Foundation Tomcat 7.0.0 beta Apache Software Foundation Tomcat 7.0.0 Apache Tomcat 6.0.39 (not an official CPE) Apache Software Foundation Tomcat 6.0.37 Apache Software Foundation Tomcat 6.0.36 Apache Software Foundation Tomcat 6.0.35 Apache Software Foundation Tomcat 6.0.33 Apache Software Foundation Tomcat 6.0.32 Apache Software Foundation Tomcat 6.0.31 Apache Software Foundation Tomcat 6.0.30 Apache Software Foundation Tomcat 6.0.29 Apache Software Foundation Tomcat 6.0.28 Apache Software Foundation Tomcat 6.0.27 Apache Software Foundation Tomcat 6.0.26 Apache Software Foundation Tomcat 6.0.24 Apache Software Foundation Tomcat 6.0.20 Apache Software Foundation Tomcat 6.0.19 Apache Software Foundation Tomcat 6.0.18 Apache Software Foundation Tomcat 6.0.14 Apache Software Foundation Tomcat 6.0.15 Apache Software Foundation Tomcat 6.0.16 Apache Software Foundation Tomcat 6.0.10 Apache Software Foundation Tomcat 6.0.11 Apache Software Foundation Tomcat 6.0.17 Apache Software Foundation Tomcat 6.0.13 Apache Software Foundation Tomcat 6.0.12 Apache Software Foundation Tomcat 6.0.9 beta Apache Software Foundation Tomcat 6.0.8 alpha Apache Software Foundation Tomcat 6.0.9 Apache Software Foundation Tomcat 6.0.8 Apache Software Foundation Tomcat 6.0.7 beta Apache Software Foundation Tomcat 6.0.7 alpha Apache Software Foundation Tomcat 6.0.7 Apache Software Foundation Tomcat 6.0.6 alpha Apache Software Foundation Tomcat 6.0.6 Apache Software Foundation Tomcat 6.0.3 Apache Software Foundation Tomcat 6.0.5 Apache Software Foundation Tomcat 6.0.4 alpha Apache Software Foundation Tomcat 6.0.4 Apache Software Foundation Tomcat 6.0.2 beta Apache Software Foundation Tomcat 6.0.2 alpha Apache Software Foundation Tomcat 6.0.2 Apache Software Foundation Tomcat 6.0.1 alpha Apache Software Foundation Tomcat 6.0.1 Apache Software Foundation Tomcat 6.0.0 alpha Apache Software Foundation Tomcat 6.0.0 Apache Software Foundation Tomcat 6.0 Apache Software Foundation Tomcat 6
Advisory Patch Confirmed Link
[tomcat-dev] 20190415 svn commit: r1857582 [16/22] - in ...
[tomcat-dev] 20190325 svn commit: r1856174 [21/29] - in ...
[tomcat-dev] 20190413 svn commit: r1857494 [15/20] - in ...
67667
1030301
http://www.vmware.com/security/advisories/VMSA-2014-0012...
20141205 NEW: VMSA-2014-0012 - VMware vSphere product up...
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/d...
http://www.oracle.com/technetwork/topics/security/cpuoct...
http://www.oracle.com/technetwork/topics/security/cpujul...
MDVSA-2015:052
MDVSA-2015:084
http://www.novell.com/support/kb/doc.php?id=7010166
http://www.oracle.com/technetwork/security-advisory/cpuo...
MDVSA-2015:053
DSA-3552
DSA-3530
http://tomcat.apache.org/security-8.html
http://www-01.ibm.com/support/docview.wss?uid=swg2167823...
http://www-01.ibm.com/support/docview.wss?uid=swg2168152...
http://tomcat.apache.org/security-7.html
http://svn.apache.org/viewvc?view=revision&revision=1585...
http://tomcat.apache.org/security-6.html
http://svn.apache.org/viewvc?view=revision&revision=1578...
http://svn.apache.org/viewvc?view=revision&revision=1578...
http://svn.apache.org/viewvc?view=revision&revision=1578...
http://svn.apache.org/viewvc?view=revision&revision=1578...
20140527 [SECURITY] CVE-2014-0096 Apache Tomcat informat...
59121
20141205 NEW: VMSA-2014-0012 - VMware vSphere product up...
RHSA-2015:0765
FEDORA-2015-2109
RHSA-2015:0720
HPSBOV03503
RHSA-2015:0675
HPSBUX03102
http://advisories.mageia.org/MGASA-2014-0268.html
http://linux.oracle.com/errata/ELSA-2014-0865.html
[tomcat-dev] 20190319 svn commit: r1855831 [23/30] - in ...