Launchpad.net

CVE 2014-0096

java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Related bugs and status

CVE-2014-0096 (Candidate) is related to these bugs:

Bug #1373589: several CVE's for tomcat 6.0.39 in trusty

Summary				In	Importance	Status
	1373589	several CVE's for tomcat 6.0.39 in trusty		tomcat6 (Ubuntu)	Undecided	Expired

Bug #1449975: Outstanding low priority security bugs in the tomcat7 packages

Summary				In	Importance	Status
	1449975	Outstanding low priority security bugs in the tomcat7 packages		tomcat7 (Ubuntu)	Low	Fix Released

See the

CVE page on Mitre.org for more details.

Launchpad.net

CVE 2014-0096

Related bugs and status

Related bugs

References