GHSA-qprx-q2r7-3rx6

Suggest an improvement
Source
https://github.com/advisories/GHSA-qprx-q2r7-3rx6
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-qprx-q2r7-3rx6/GHSA-qprx-q2r7-3rx6.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-qprx-q2r7-3rx6
Aliases
  • CVE-2014-0096
Published
2022-05-14T01:10:18Z
Modified
2024-11-28T05:42:21.248724Z
Summary
Improper Input Validation in Apache Tomcat
Details

java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Database specific
{
    "nvd_published_at": "2014-05-31T11:17:00Z",
    "cwe_ids": [
        "CWE-20"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-07T22:54:11Z"
}
References

Affected packages

Maven / org.apache.tomcat:tomcat

Package

Name
org.apache.tomcat:tomcat
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.0.40

Maven / org.apache.tomcat:tomcat

Package

Name
org.apache.tomcat:tomcat
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat

Affected ranges

Type
ECOSYSTEM
Events
Introduced
7.0.0
Fixed
7.0.54

Affected versions

7.*

7.0.35
7.0.37
7.0.39
7.0.40
7.0.41
7.0.42
7.0.47
7.0.50
7.0.52
7.0.53

Maven / org.apache.tomcat:tomcat

Package

Name
org.apache.tomcat:tomcat
View open source insights on deps.dev
Purl
pkg:maven/org.apache.tomcat/tomcat

Affected ranges

Type
ECOSYSTEM
Events
Introduced
8.0.0
Fixed
8.0.6

Affected versions

8.*

8.0.1
8.0.3
8.0.5