[Bug 65516] New: upgrade to xalan 2.7.2 to address CVE-2014-0107

bugzilla Mon, 23 Aug 2021 12:48:54 -0700

https://bz.apache.org/bugzilla/show_bug.cgi?id=65516

            Bug ID: 65516
           Summary: upgrade to xalan 2.7.2 to address CVE-2014-0107
           Product: Tomcat 9
           Version: 9.0.52
          Hardware: PC
                OS: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Packaging
          Assignee: dev@tomcat.apache.org
          Reporter: jeeho...@parasoft.com
  Target Milestone: -----

For more info, see https://nvd.nist.gov/vuln/detail/CVE-2014-0107

Tomcat 9.0.52 currently ships with xalan 2.7.0. 

The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly
restrict access to certain properties when FEATURE_SECURE_PROCESSING is
enabled, which allows remote attackers to bypass expected restrictions and load
arbitrary classes or access external resources via a crafted (1)
xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4)
xslt:entities property, or a Java property that is bound to the XSLT 1.0
system-property function.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 65516] New: upgrade to xalan 2.7.2 to address CVE-2014-0107

Reply via email to