You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2021/08/23 19:48:47 UTC
[Bug 65516] New: upgrade to xalan 2.7.2 to address CVE-2014-0107
https://bz.apache.org/bugzilla/show_bug.cgi?id=65516
Bug ID: 65516
Summary: upgrade to xalan 2.7.2 to address CVE-2014-0107
Product: Tomcat 9
Version: 9.0.52
Hardware: PC
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: Packaging
Assignee: dev@tomcat.apache.org
Reporter: jeehongm@parasoft.com
Target Milestone: -----
For more info, see https://nvd.nist.gov/vuln/detail/CVE-2014-0107
Tomcat 9.0.52 currently ships with xalan 2.7.0.
The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly
restrict access to certain properties when FEATURE_SECURE_PROCESSING is
enabled, which allows remote attackers to bypass expected restrictions and load
arbitrary classes or access external resources via a crafted (1)
xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4)
xslt:entities property, or a Java property that is bound to the XSLT 1.0
system-property function.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 65516] upgrade to xalan 2.7.2 to address CVE-2014-0107
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65516
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |INVALID
Status|NEW |RESOLVED
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org