2014-05-31 13:17:13 2019-04-15 18:29:52

Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to (1) read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or (2) read files associated with different web applications on a single Tomcat instance via a crafted web application.

Vector

NETWORK

Complexity

MEDIUM

Authentication

NONE

Confidentiality

PARTIAL

Integrity

NONE

Availability

NONE
Apache Tomcat 8.0.3 (not an official CPE) Apache Tomcat 8.0.5 (not an official CPE) Apache Software Foundation Tomcat 8.0.1 Apache Software Foundation Tomcat 8.0.0 release candidate 5 Apache Software Foundation Tomcat 8.0.0 Release Candidate 2 Apache Software Foundation Tomcat 8.0.0 release candidate 10 Apache Software Foundation Tomcat 8.0.0 Release Candidate 1 Apache Tomcat 7.0.53 (not an official CPE) Apache Tomcat 7.0.52 (not an official CPE) Apache Software Foundation Tomcat 7.0.50 Apache Software Foundation Tomcat 7.0.49 Apache Software Foundation Tomcat 7.0.48 Apache Software Foundation Tomcat 7.0.47 Apache Software Foundation Tomcat 7.0.46 Apache Software Foundation Tomcat 7.0.45 Apache Software Foundation Tomcat 7.0.44 Apache Software Foundation Tomcat 7.0.43 Apache Software Foundation Tomcat 7.0.42 Apache Software Foundation Tomcat 7.0.41 Apache Software Foundation Tomcat 7.0.40 Apache Software Foundation Tomcat 7.0.39 Apache Software Foundation Tomcat 7.0.38 Apache Software Foundation Tomcat 7.0.37 Apache Software Foundation Tomcat 7.0.36 Apache Software Foundation Tomcat 7.0.35 Apache Software Foundation Tomcat 7.0.34 Apache Software Foundation Tomcat 7.0.33 Apache Software Foundation Tomcat 7.0.32 Apache Software Foundation Tomcat 7.0.31 Apache Software Foundation Tomcat 7.0.30 Apache Software Foundation Tomcat 7.0.29 Apache Software Foundation Tomcat 7.0.28 Apache Software Foundation Tomcat 7.0.27 Apache Software Foundation Tomcat 7.0.26 Apache Software Foundation Tomcat 7.0.25 Apache Software Foundation Tomcat 7.0.24 Apache Software Foundation Tomcat 7.0.23 Apache Software Foundation Tomcat 7.0.22 Apache Software Foundation Tomcat 7.0.21 Apache Software Foundation Tomcat 7.0.20 Apache Software Foundation Tomcat 7.0.19 Apache Software Foundation Tomcat 7.0.18 Apache Software Foundation Tomcat 7.0.17 Apache Software Foundation Tomcat 7.0.16 Apache Software Foundation Tomcat 7.0.15 Apache Software Foundation Tomcat 7.0.14 Apache Software Foundation Tomcat 7.0.13 Apache Software Foundation Tomcat 7.0.12 Apache Software Foundation Tomcat 7.0.11 Apache Software Foundation Tomcat 7.0.10 Apache Software Foundation Tomcat 7.0.9 Apache Software Foundation Tomcat 7.0.8 Apache Software Foundation Tomcat 7.0.7 Apache Software Foundation Tomcat 7.0.6 Apache Software Foundation Tomcat 7.0.5 Apache Software Foundation Tomcat 7.0.4 beta Apache Software Foundation Tomcat 7.0.4 Apache Software Foundation Tomcat 7.0.3 Apache Software Foundation Tomcat 7.0.2 beta Apache Software Foundation Tomcat 7.0.2 Apache Software Foundation Tomcat 7.0.1 Apache Software Foundation Tomcat 7.0.0 beta Apache Software Foundation Tomcat 7.0.0 Apache Tomcat 6.0.39 (not an official CPE) Apache Software Foundation Tomcat 6.0.37 Apache Software Foundation Tomcat 6.0.36 Apache Software Foundation Tomcat 6.0.35 Apache Software Foundation Tomcat 6.0.32 Apache Software Foundation Tomcat 6.0.33 Apache Software Foundation Tomcat 6.0.31 Apache Software Foundation Tomcat 6.0.30 Apache Software Foundation Tomcat 6.0.29 Apache Software Foundation Tomcat 6.0.28 Apache Software Foundation Tomcat 6.0.27 Apache Software Foundation Tomcat 6.0.26 Apache Software Foundation Tomcat 6.0.24 Apache Software Foundation Tomcat 6.0.20 Apache Software Foundation Tomcat 6.0.19 Apache Software Foundation Tomcat 6.0.18 Apache Software Foundation Tomcat 6.0.17 Apache Software Foundation Tomcat 6.0.16 Apache Software Foundation Tomcat 6.0.15 Apache Software Foundation Tomcat 6.0.14 Apache Software Foundation Tomcat 6.0.12 Apache Software Foundation Tomcat 6.0.13 Apache Software Foundation Tomcat 6.0.11 Apache Software Foundation Tomcat 6.0.9 Apache Software Foundation Tomcat 6.0.10 Apache Software Foundation Tomcat 6.0.9 beta Apache Software Foundation Tomcat 6.0.7 beta Apache Software Foundation Tomcat 6.0.8 alpha Apache Software Foundation Tomcat 6.0.8 Apache Software Foundation Tomcat 6.0.7 alpha Apache Software Foundation Tomcat 6.0.7 Apache Software Foundation Tomcat 6.0.6 alpha Apache Software Foundation Tomcat 6.0.6 Apache Software Foundation Tomcat 6.0.5 Apache Software Foundation Tomcat 6.0.4 alpha Apache Software Foundation Tomcat 6.0.4 Apache Software Foundation Tomcat 6.0.3 Apache Software Foundation Tomcat 6.0.2 beta Apache Software Foundation Tomcat 6.0.1 Apache Software Foundation Tomcat 6.0.2 alpha Apache Software Foundation Tomcat 6.0.2 Apache Software Foundation Tomcat 6.0.1 alpha Apache Software Foundation Tomcat 6.0.0 Apache Software Foundation Tomcat 6.0.0 alpha Apache Software Foundation Tomcat 6.0 Apache Software Foundation Tomcat 6
Advisory Patch Confirmed Link
http://svn.apache.org/viewvc?view=revision&revision=1590...
20140527 [SECURITY] CVE-2014-0119 Apache Tomcat informat...
http://svn.apache.org/viewvc?view=revision&revision=1588...
http://svn.apache.org/viewvc?view=revision&revision=1588...
http://svn.apache.org/viewvc?view=revision&revision=1589...
http://svn.apache.org/viewvc?view=revision&revision=1589...
http://svn.apache.org/viewvc?view=revision&revision=1589...
http://svn.apache.org/viewvc?view=revision&revision=1589...
http://svn.apache.org/viewvc?view=revision&revision=1589...
http://svn.apache.org/viewvc?view=revision&revision=1589...
http://svn.apache.org/viewvc?view=revision&revision=1589...
http://svn.apache.org/viewvc?view=revision&revision=1589...
http://svn.apache.org/viewvc?view=revision&revision=1590...
[tomcat-dev] 20190415 svn commit: r1857582 [16/22] - in ...
[tomcat-dev] 20190325 svn commit: r1856174 [21/29] - in ...
[tomcat-dev] 20190413 svn commit: r1857494 [15/20] - in ...
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/d...
USN-2654-1
http://www.vmware.com/security/advisories/VMSA-2014-0012...
1030298
67669
20141205 NEW: VMSA-2014-0012 - VMware vSphere product up...
http://www.oracle.com/technetwork/topics/security/cpuoct...
http://www.oracle.com/technetwork/topics/security/cpujul...
MDVSA-2015:084
http://www.oracle.com/technetwork/security-advisory/cpuo...
http://www-01.ibm.com/support/docview.wss?uid=swg2168152...
DSA-3530
MDVSA-2015:053
MDVSA-2015:052
DSA-3552
http://www-01.ibm.com/support/docview.wss?uid=swg2167823...
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-8.html
http://tomcat.apache.org/security-6.html
http://svn.apache.org/viewvc?view=revision&revision=1593...
http://svn.apache.org/viewvc?view=revision&revision=1593...
20141205 NEW: VMSA-2014-0012 - VMware vSphere product up...
RHSA-2015:0765
HPSBOV03503
RHSA-2015:0675
RHSA-2015:0720
http://advisories.mageia.org/MGASA-2014-0268.html
HPSBUX03102
[tomcat-dev] 20190319 svn commit: r1855831 [23/30] - in ...