CVE-2014-0096 in Communications Policy Managementinfo

Summary

java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Be aware that VulDB is the high quality source for vulnerability data.

Reservation

12/03/2013

Disclosure

05/31/2014

Status

Confirmed

Entries

VulDB provides additional information and datapoints for this CVE:

ID	Vulnerability	CWE	Exp	Cou	CVE
92844	Oracle Communications Policy Management Tomcat access control	264	Not defined	Official fix	CVE-2014-0096
13386	Apache Tomcat Security Manager XSLT access control	264	Unproven	Official fix	CVE-2014-0096

Description

CPE

CWE

CVSS

Exploits

History

Diff

Relate

Threat Intelligence

API JSON

API XML

API CSV

Sources

◂ PreviousOverviewNext ▸

Do you need the next level of professionalism?

Upgrade your account now!