www-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject [SECURITY] CVE-2014-0096 Apache Tomcat information disclosure
Date Tue, 27 May 2014 12:46:33 GMT
CVE-2014-0096 Information Disclosure

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- Apache Tomcat 8.0.0-RC1 to 8.0.3
- Apache Tomcat 7.0.0 to 7.0.52
- Apache Tomcat 6.0.0 to 6.0.39

The default servlet allows web applications to define (at multiple
levels) an XSLT to be used to format a directory listing. When running
under a security manager, the processing of these was not subject to the
same constraints as the web application. This enabled a malicious web
application to bypass the file access constraints imposed by the
security manager via the use of external XML entities.

Users of affected versions should apply one of the following mitigations
- Upgrade to Apache Tomcat 8.0.5 or later
  (8.0.4 contains the fix but was not released)
- Upgrade to Apache Tomcat 7.0.53 or later
- Upgrade to Apache Tomcat 6.0.41 or later
  (6.0.40 contains the fix but was not released)

This issue was identified by the Tomcat security team.

[1] http://tomcat.apache.org/security-8.html
[2] http://tomcat.apache.org/security-7.html
[3] http://tomcat.apache.org/security-6.html

View raw message