CVE-2014-0119

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 6.0.0 through 6.0.39 Apache Tomcat versions 7.0.0 through 7.0.53 Apache Tomcat versions 8.0.0 through 8.0.5

Description The issue allows remote attackers to read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. It also allows reading files associated with different web applications on a single Tomcat instance via a crafted web application. This is due to the improper constraint of the class loader that accesses the XML parser used with an XSLT stylesheet.

Recommendations For Apache Tomcat versions 6.0.0 through 6.0.39, update to version 6.0.40 or later. For Apache Tomcat versions 7.0.0 through 7.0.53, update to version 7.0.54 or later. For Apache Tomcat versions 8.0.0 through 8.0.5, update to version 8.0.6 or later. As a temporary workaround, consider restricting access to the XML parser used by the default servlet, JSP documents, tag library descriptors (TLDs), and tag plugin configuration files to minimize the risk of exploitation.