CVE-2014-0107
Summary
| CVE | CVE-2014-0107 |
|---|---|
| State | PUBLISHED |
| Assigner | redhat |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2014-04-15 23:13:13 UTC |
| Updated | 2026-05-06 22:30:45 UTC |
| Description | The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function. |
Risk And Classification
CVSS v2.0 Breakdown
Access Vector
NetworkAccess Complexity
LowAuthentication
NoneConfidentiality
PartialIntegrity
PartialAvailability
PartialAV:N/AC:L/Au:N/C:P/I:P/A:P
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Xalan-java | 1.0.0 | All | All | All |
| Application | Apache | Xalan-java | 2.0.0 | All | All | All |
| Application | Apache | Xalan-java | 2.0.1 | All | All | All |
| Application | Apache | Xalan-java | 2.1.0 | All | All | All |
| Application | Apache | Xalan-java | 2.2.0 | All | All | All |
| Application | Apache | Xalan-java | 2.4.0 | All | All | All |
| Application | Apache | Xalan-java | 2.4.1 | All | All | All |
| Application | Apache | Xalan-java | 2.5.0 | All | All | All |
| Application | Apache | Xalan-java | 2.5.1 | All | All | All |
| Application | Apache | Xalan-java | 2.5.2 | All | All | All |
| Application | Apache | Xalan-java | 2.6.0 | All | All | All |
| Application | Apache | Xalan-java | 2.7.0 | All | All | All |
| Application | Apache | Xalan-java | All | All | All | All |
| Application | Oracle | Webcenter Sites | 11.1.1.8.0 | All | All | All |
| Application | Oracle | Webcenter Sites | 7.6.2 | All | All | All |
Vendor Declared Affected Products
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Security Advisory SA59036 - IBM QRadar SIEM Multiple Vulnerabilities - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| Security Bulletin: IBM FileNet Business Process Framework is affected by a vulnerability in Apache Xalan-Java (CVE-2014-0107) | af854a3a-2127-422b-91ae-364da2661108 | www-01.ibm.com | |
| Security Advisory SA57563 - Apache Xalan-Java FEATURE_SECURE_PROCESSING Properties Handling Security Bypass Vulnerability - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| Oracle Critical Patch Update Advisory - October 2021 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | |
| Oracle Fusion Middleware Bugs Let Remote Users Access and Modify Data and Remote and Local Users Deny Service - SecurityTracker | af854a3a-2127-422b-91ae-364da2661108 | www.securitytracker.com | |
| [XALANJ-2435] Use of secure processing feature should disable some output properties - ASF JIRA | af854a3a-2127-422b-91ae-364da2661108 | issues.apache.org | |
| Oracle Critical Patch Update Advisory - July 2021 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | |
| Security Advisory SA59711 - IBM Sterling B2B Integrator / File Gateway Apache Xalan-Java Security Bypass Vulnerability - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| Security Advisory SA59290 - Red Hat update for Red Hat JBoss BRMS - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| IBM Security Bulletin: A vulnerability exists in Apache Xalan-Java prior to 2.7.2 as used in IBM QRadar SIEM 7.1 MR2, and 7.2 MR2. (CVE-2014-0107) - United States | af854a3a-2127-422b-91ae-364da2661108 | www-01.ibm.com | |
| IBM Security Bulletin: A vulnerability exists in Apache Xalan-Java prior to 2.7.2 as used in IBM Sterling Control Center 5.2 (CVE-2014-0107) - United States | af854a3a-2127-422b-91ae-364da2661108 | www-01.ibm.com | |
| Document Display | HPE Support Center | af854a3a-2127-422b-91ae-364da2661108 | h20566.www2.hpe.com | |
| [R2] SecurityCenter 5.8.0 Fixes Multiple Third-Party Vulnerabilities - Security Advisory | Tenable® | af854a3a-2127-422b-91ae-364da2661108 | www.tenable.com | |
| lists.apache.org/thread.html/r2900489bc665a2e32d021bb21f6ce2cb8e6bb5973490eebb... | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| IBM notice: The page you requested cannot be displayed | af854a3a-2127-422b-91ae-364da2661108 | www.ibm.com | |
| Security Advisory SA59247 - IBM FileNet Business Process Framework Apache Xalan-Java Security Bypass Vulnerability - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| Security Advisory SA60502 - IBM Sterling Control Center Apache Xalan-Java Security Bypass Vulnerability - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| Oracle Critical Patch Update - October 2017 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | |
| Security Advisory SA59369 - SUSE update for xalan-j2 - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| Oracle Critical Patch Update - January 2016 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | Patch, Vendor Advisory |
| About Secunia Research | Flexera | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| Apache Xalan-Java Library CVE-2014-0107 Security Bypass Vulnerability | af854a3a-2127-422b-91ae-364da2661108 | www.securityfocus.com | |
| IBM X-Force Exchange | af854a3a-2127-422b-91ae-364da2661108 | exchange.xforce.ibmcloud.com | |
| Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | rhn.redhat.com | |
| [Apache-SVN] Revision 1581058 | af854a3a-2127-422b-91ae-364da2661108 | svn.apache.org | Patch |
| lists.apache.org/thread.html/r0c00afcab8f238562e27b3ae7b8af1913c62bc60838fb8b3... | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Oracle Critical Patch Update Advisory - April 2019 | af854a3a-2127-422b-91ae-364da2661108 | www.oracle.com | |
| Security Bulletin: Security exposure in IBM Cognos Incentive Compensation Management (CVE-2014-0107) | af854a3a-2127-422b-91ae-364da2661108 | www-01.ibm.com | |
| Security Advisory SA59291 - Red Hat update for Red Hat JBoss BPM Suite - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| IBM Security Bulletin: Vulnerability exists in Apache-Xalan-Java used in IBM Sterling B2B Integrator and IBM Sterling File Gateway (CVE-2014-0107) - United States | af854a3a-2127-422b-91ae-364da2661108 | www-01.ibm.com | |
| oCERT.org - oCERT Advisories | af854a3a-2127-422b-91ae-364da2661108 | www.ocert.org | US Government Resource |
| Oracle WebLogic Multiple Bugs Let Remote Users Access and Modify Data and Deny Service - SecurityTracker | af854a3a-2127-422b-91ae-364da2661108 | www.securitytracker.com | |
| Debian -- Security Information -- DSA-2886-1 libxalan2-java | af854a3a-2127-422b-91ae-364da2661108 | www.debian.org | |
| Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | rhn.redhat.com | |
| Security Advisory SA59151 - IBM Cognos Incentive Compensation Management Apache Xalan-Java Properties Handling Security Bypass Vulnerability - Secunia | af854a3a-2127-422b-91ae-364da2661108 | secunia.com | |
| Red Hat Customer Portal | af854a3a-2127-422b-91ae-364da2661108 | rhn.redhat.com | |
| Pony Mail! | af854a3a-2127-422b-91ae-364da2661108 | lists.apache.org | |
| Xalan-Java: Arbitrary code execution (GLSA 201604-02) — Gentoo security | af854a3a-2127-422b-91ae-364da2661108 | security.gentoo.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| Pony Mail! | MITRE | lists.apache.org | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.