CVE-2014-0107 in Siebel CRMinfo

Summary

by MITRE

The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 05/10/2026

The vulnerability identified as CVE-2014-0107 represents a critical security flaw in Apache Xalan-Java's TransformerFactory implementation prior to version 2.7.2. This issue stems from insufficient access controls within the XSLT transformation engine that processes XML documents with XSLT stylesheets. The vulnerability specifically targets the FEATURE_SECURE_PROCESSING flag which is designed to prevent dangerous operations during XML processing, yet fails to adequately restrict access to sensitive properties that could be exploited by malicious actors.

The technical flaw manifests through four distinct property vectors that can be manipulated to bypass security restrictions. Attackers can exploit the xalan:content-header and xalan:entities properties, as well as xslt:content-header and xslt:entities properties, to load arbitrary classes or access external resources. Additionally, the vulnerability extends to Java properties that are bound to the XSLT 1.0 system-property function, creating multiple attack surfaces within the transformation process. These properties are normally restricted when secure processing is enabled, but the flaw allows unauthorized access to their underlying functionality.

The operational impact of this vulnerability is severe and far-reaching within enterprise environments that utilize Apache Xalan-Java for XML processing. Remote attackers can leverage this vulnerability to execute arbitrary code on systems processing XML documents through XSLT transformations, potentially leading to complete system compromise. The ability to load arbitrary classes means attackers can execute malicious code, access sensitive data, or perform unauthorized operations on the target system. This vulnerability particularly affects web applications, enterprise systems, and any software that processes untrusted XML input through XSLT transformations, creating significant risk for organizations handling sensitive data.

Organizations should implement immediate mitigation strategies including upgrading to Apache Xalan-Java version 2.7.2 or later, which contains the necessary patches to address the access control bypass. System administrators should also configure proper input validation and sanitization for all XML processing components, implement network segmentation to limit access to vulnerable systems, and conduct thorough security assessments of all applications utilizing XSLT transformation capabilities. The vulnerability aligns with CWE-284 Access Control issues and maps to ATT&CK technique T1059 Command and Scripting Interpreter, as it enables remote code execution through XML processing. Additionally, this flaw demonstrates characteristics of privilege escalation and code injection attacks that require comprehensive security monitoring and incident response procedures to detect and remediate potential exploitation attempts.

Reservation

12/03/2013

Moderation

accepted

Entry

5

Relate

show

CPE

ready

EPSS

0.13809

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!