4.3

CVE-2014-0096

java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
ApacheTomcat Version7.0.0
ApacheTomcat Version7.0.0 Updatebeta
ApacheTomcat Version7.0.1
ApacheTomcat Version7.0.2
ApacheTomcat Version7.0.2 Updatebeta
ApacheTomcat Version7.0.3
ApacheTomcat Version7.0.4
ApacheTomcat Version7.0.4 Updatebeta
ApacheTomcat Version7.0.5
ApacheTomcat Version7.0.6
ApacheTomcat Version7.0.7
ApacheTomcat Version7.0.8
ApacheTomcat Version7.0.9
ApacheTomcat Version7.0.10
ApacheTomcat Version7.0.11
ApacheTomcat Version7.0.12
ApacheTomcat Version7.0.13
ApacheTomcat Version7.0.14
ApacheTomcat Version7.0.15
ApacheTomcat Version7.0.16
ApacheTomcat Version7.0.17
ApacheTomcat Version7.0.18
ApacheTomcat Version7.0.19
ApacheTomcat Version7.0.20
ApacheTomcat Version7.0.21
ApacheTomcat Version7.0.22
ApacheTomcat Version7.0.23
ApacheTomcat Version7.0.24
ApacheTomcat Version7.0.25
ApacheTomcat Version7.0.26
ApacheTomcat Version7.0.27
ApacheTomcat Version7.0.28
ApacheTomcat Version7.0.29
ApacheTomcat Version7.0.30
ApacheTomcat Version7.0.31
ApacheTomcat Version7.0.32
ApacheTomcat Version7.0.33
ApacheTomcat Version7.0.34
ApacheTomcat Version7.0.35
ApacheTomcat Version7.0.36
ApacheTomcat Version7.0.37
ApacheTomcat Version7.0.38
ApacheTomcat Version7.0.39
ApacheTomcat Version7.0.40
ApacheTomcat Version7.0.41
ApacheTomcat Version7.0.42
ApacheTomcat Version7.0.43
ApacheTomcat Version7.0.44
ApacheTomcat Version7.0.45
ApacheTomcat Version7.0.46
ApacheTomcat Version7.0.47
ApacheTomcat Version7.0.48
ApacheTomcat Version7.0.49
ApacheTomcat Version7.0.50
ApacheTomcat Version7.0.52
ApacheTomcat Version8.0.0 Updaterc1
ApacheTomcat Version8.0.0 Updaterc10
ApacheTomcat Version8.0.0 Updaterc2
ApacheTomcat Version8.0.0 Updaterc5
ApacheTomcat Version8.0.1
ApacheTomcat Version8.0.3
ApacheTomcat Version <= 6.0.39
ApacheTomcat Version6
ApacheTomcat Version6.0
ApacheTomcat Version6.0.0
ApacheTomcat Version6.0.0 Updatealpha
ApacheTomcat Version6.0.1
ApacheTomcat Version6.0.1 Updatealpha
ApacheTomcat Version6.0.2
ApacheTomcat Version6.0.2 Updatealpha
ApacheTomcat Version6.0.2 Updatebeta
ApacheTomcat Version6.0.3
ApacheTomcat Version6.0.4
ApacheTomcat Version6.0.4 Updatealpha
ApacheTomcat Version6.0.5
ApacheTomcat Version6.0.6
ApacheTomcat Version6.0.6 Updatealpha
ApacheTomcat Version6.0.7
ApacheTomcat Version6.0.7 Updatealpha
ApacheTomcat Version6.0.7 Updatebeta
ApacheTomcat Version6.0.8
ApacheTomcat Version6.0.8 Updatealpha
ApacheTomcat Version6.0.9
ApacheTomcat Version6.0.9 Updatebeta
ApacheTomcat Version6.0.10
ApacheTomcat Version6.0.11
ApacheTomcat Version6.0.12
ApacheTomcat Version6.0.13
ApacheTomcat Version6.0.14
ApacheTomcat Version6.0.15
ApacheTomcat Version6.0.16
ApacheTomcat Version6.0.17
ApacheTomcat Version6.0.18
ApacheTomcat Version6.0.19
ApacheTomcat Version6.0.20
ApacheTomcat Version6.0.24
ApacheTomcat Version6.0.26
ApacheTomcat Version6.0.27
ApacheTomcat Version6.0.28
ApacheTomcat Version6.0.29
ApacheTomcat Version6.0.30
ApacheTomcat Version6.0.31
ApacheTomcat Version6.0.32
ApacheTomcat Version6.0.33
ApacheTomcat Version6.0.35
ApacheTomcat Version6.0.36
ApacheTomcat Version6.0.37
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 6.91% 0.933
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:P/I:N/A:N
Es wurden noch keine Informationen zu CWE veröffentlicht.
http://tomcat.apache.org/security-6.html
Vendor Advisory
https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E
http://tomcat.apache.org/security-7.html
Vendor Advisory
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
http://seclists.org/fulldisclosure/2014/Dec/23
http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
http://www.securityfocus.com/archive/1/534161/100/0/threaded
http://www.vmware.com/security/advisories/VMSA-2014-0012.html
http://www.novell.com/support/kb/doc.php?id=7010166
http://rhn.redhat.com/errata/RHSA-2015-0675.html
http://rhn.redhat.com/errata/RHSA-2015-0720.html
http://rhn.redhat.com/errata/RHSA-2015-0765.html
http://marc.info/?l=bugtraq&m=144498216801440&w=2
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04851013
http://secunia.com/advisories/59873
http://tomcat.apache.org/security-8.html
Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21678231
http://www.debian.org/security/2016/dsa-3530
http://www.mandriva.com/security/advisories?name=MDVSA-2015:052
http://www.mandriva.com/security/advisories?name=MDVSA-2015:084
http://marc.info/?l=bugtraq&m=141017844705317&w=2
http://advisories.mageia.org/MGASA-2014-0268.html
http://linux.oracle.com/errata/ELSA-2014-0865.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-February/150282.html
http://secunia.com/advisories/59121
http://secunia.com/advisories/59616
http://secunia.com/advisories/59678
http://secunia.com/advisories/59732
http://secunia.com/advisories/59835
http://secunia.com/advisories/59849
http://secunia.com/advisories/60729
http://www-01.ibm.com/support/docview.wss?uid=swg21681528
http://www.mandriva.com/security/advisories?name=MDVSA-2015:053
http://seclists.org/fulldisclosure/2014/May/135
http://svn.apache.org/viewvc?view=revision&revision=1578610
http://svn.apache.org/viewvc?view=revision&revision=1578611
http://svn.apache.org/viewvc?view=revision&revision=1578637
http://svn.apache.org/viewvc?view=revision&revision=1578655
http://svn.apache.org/viewvc?view=revision&revision=1585853
http://www.debian.org/security/2016/dsa-3552
http://www.securityfocus.com/bid/67667
http://www.securitytracker.com/id/1030301