2014-05-27 16:46 GMT+04:00 Mark Thomas <ma...@apache.org>: > CVE-2014-0119 Information Disclosure > > Severity: Important > > Vendor: The Apache Software Foundation > > Versions Affected: > - Apache Tomcat 8.0.0-RC1 to 8.0.5 > - Apache Tomcat 7.0.0 to 7.0.53 > - Apache Tomcat 6.0.0 to 6.0.39 > > Description: > In limited circumstances it was possible for a malicious web application > to replace the XML parsers used by Tomcat to process XSLTs for the > default servlet, JSP documents, tag library descriptors (TLDs) and tag > plugin configuration files. The injected XMl parser(s) could then bypass > the limits imposed on XML external entities and/or have visibility of > the XML files processed for other web applications deployed on the same > Tomcat instance. >
The "default servlet" part of this issue was fixed by the following commits: http://svn.apache.org/r1588193 http://svn.apache.org/r1588199 http://svn.apache.org/r1589640 Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
