CVE-2014-0107
Summary
| CVE | CVE-2014-0107 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2014-04-15 23:13:00 UTC |
| Updated | 2023-11-07 02:18:00 UTC |
| Description | The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function. |
Risk And Classification
Problem Types: CWE-264
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Apache | Xalan-java | 1.0.0 | All | All | All |
| Application | Apache | Xalan-java | 2.0.0 | All | All | All |
| Application | Apache | Xalan-java | 2.0.1 | All | All | All |
| Application | Apache | Xalan-java | 2.1.0 | All | All | All |
| Application | Apache | Xalan-java | 2.2.0 | All | All | All |
| Application | Apache | Xalan-java | 2.4.0 | All | All | All |
| Application | Apache | Xalan-java | 2.4.1 | All | All | All |
| Application | Apache | Xalan-java | 2.5.0 | All | All | All |
| Application | Apache | Xalan-java | 2.5.1 | All | All | All |
| Application | Apache | Xalan-java | 2.5.2 | All | All | All |
| Application | Apache | Xalan-java | 2.6.0 | All | All | All |
| Application | Apache | Xalan-java | 2.7.0 | All | All | All |
| Application | Apache | Xalan-java | 1.0.0 | All | All | All |
| Application | Apache | Xalan-java | 2.0.0 | All | All | All |
| Application | Apache | Xalan-java | 2.0.1 | All | All | All |
| Application | Apache | Xalan-java | 2.1.0 | All | All | All |
| Application | Apache | Xalan-java | 2.2.0 | All | All | All |
| Application | Apache | Xalan-java | 2.4.0 | All | All | All |
| Application | Apache | Xalan-java | 2.4.1 | All | All | All |
| Application | Apache | Xalan-java | 2.5.0 | All | All | All |
| Application | Apache | Xalan-java | 2.5.1 | All | All | All |
| Application | Apache | Xalan-java | 2.5.2 | All | All | All |
| Application | Apache | Xalan-java | 2.6.0 | All | All | All |
| Application | Apache | Xalan-java | 2.7.0 | All | All | All |
| Application | Apache | Xalan-java | All | All | All | All |
| Application | Oracle | Webcenter Sites | 11.1.1.8.0 | All | All | All |
| Application | Oracle | Webcenter Sites | 7.6.2 | All | All | All |
| Application | Oracle | Webcenter Sites | 11.1.1.8.0 | All | All | All |
| Application | Oracle | Webcenter Sites | 7.6.2 | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| Debian -- Security Information -- DSA-2886-1 libxalan2-java | DEBIAN | www.debian.org | |
| Red Hat Customer Portal | REDHAT | rhn.redhat.com | |
| Oracle Fusion Middleware Bugs Let Remote Users Access and Modify Data and Remote and Local Users Deny Service - SecurityTracker | SECTRACK | www.securitytracker.com | |
| Pony Mail! | lists.apache.org | ||
| Security Advisory SA59290 - Red Hat update for Red Hat JBoss BRMS - Secunia | SECUNIA | secunia.com | |
| IBM notice: The page you requested cannot be displayed | CONFIRM | www.ibm.com | |
| Security Advisory SA59369 - SUSE update for xalan-j2 - Secunia | SECUNIA | secunia.com | |
| IBM Security Bulletin: A vulnerability exists in Apache Xalan-Java prior to 2.7.2 as used in IBM QRadar SIEM 7.1 MR2, and 7.2 MR2. (CVE-2014-0107) - United States | CONFIRM | www-01.ibm.com | |
| Pony Mail! | MLIST | lists.apache.org | |
| Security Bulletin: Security exposure in IBM Cognos Incentive Compensation Management (CVE-2014-0107) | CONFIRM | www-01.ibm.com | |
| [R2] SecurityCenter 5.8.0 Fixes Multiple Third-Party Vulnerabilities - Security Advisory | Tenable® | CONFIRM | www.tenable.com | |
| About Secunia Research | Flexera | SECUNIA | secunia.com | |
| Red Hat Customer Portal | REDHAT | rhn.redhat.com | |
| Security Advisory SA59711 - IBM Sterling B2B Integrator / File Gateway Apache Xalan-Java Security Bypass Vulnerability - Secunia | SECUNIA | secunia.com | |
| IBM Security Bulletin: A vulnerability exists in Apache Xalan-Java prior to 2.7.2 as used in IBM Sterling Control Center 5.2 (CVE-2014-0107) - United States | CONFIRM | www-01.ibm.com | |
| [tomcat-dev] 20210823 [Bug 65516] New: upgrade to xalan 2.7.2 to address CVE-2014-0107 | lists.apache.org | ||
| Oracle Critical Patch Update Advisory - July 2021 | N/A | www.oracle.com | |
| Security Advisory SA59151 - IBM Cognos Incentive Compensation Management Apache Xalan-Java Properties Handling Security Bypass Vulnerability - Secunia | SECUNIA | secunia.com | |
| Security Advisory SA59291 - Red Hat update for Red Hat JBoss BPM Suite - Secunia | SECUNIA | secunia.com | |
| Oracle Critical Patch Update Advisory - October 2021 | MISC | www.oracle.com | |
| Security Advisory SA57563 - Apache Xalan-Java FEATURE_SECURE_PROCESSING Properties Handling Security Bypass Vulnerability - Secunia | SECUNIA | secunia.com | |
| [Apache-SVN] Revision 1581058 | CONFIRM | svn.apache.org | Patch |
| Oracle WebLogic Multiple Bugs Let Remote Users Access and Modify Data and Deny Service - SecurityTracker | SECTRACK | www.securitytracker.com | |
| Apache Xalan-Java Library CVE-2014-0107 Security Bypass Vulnerability | BID | www.securityfocus.com | |
| Document Display | HPE Support Center | CONFIRM | h20566.www2.hpe.com | |
| Pony Mail! | MLIST | lists.apache.org | |
| Security Advisory SA59247 - IBM FileNet Business Process Framework Apache Xalan-Java Security Bypass Vulnerability - Secunia | SECUNIA | secunia.com | |
| Xalan-Java: Arbitrary code execution (GLSA 201604-02) — Gentoo security | GENTOO | security.gentoo.org | |
| oCERT.org - oCERT Advisories | MISC | www.ocert.org | US Government Resource |
| [XALANJ-2435] Use of secure processing feature should disable some output properties - ASF JIRA | CONFIRM | issues.apache.org | |
| Red Hat Customer Portal | REDHAT | rhn.redhat.com | |
| Security Advisory SA60502 - IBM Sterling Control Center Apache Xalan-Java Security Bypass Vulnerability - Secunia | SECUNIA | secunia.com | |
| Security Bulletin: IBM FileNet Business Process Framework is affected by a vulnerability in Apache Xalan-Java (CVE-2014-0107) | CONFIRM | www-01.ibm.com | |
| IBM Security Bulletin: Vulnerability exists in Apache-Xalan-Java used in IBM Sterling B2B Integrator and IBM Sterling File Gateway (CVE-2014-0107) - United States | CONFIRM | www-01.ibm.com | |
| Pony Mail! | MLIST | lists.apache.org | |
| IBM X-Force Exchange | XF | exchange.xforce.ibmcloud.com | |
| Security Advisory SA59036 - IBM QRadar SIEM Multiple Vulnerabilities - Secunia | SECUNIA | secunia.com | |
| Pony Mail! | MLIST | lists.apache.org | |
| Oracle Critical Patch Update - October 2017 | CONFIRM | www.oracle.com | |
| [tomcat-dev] 20210823 [Bug 65516] upgrade to xalan 2.7.2 to address CVE-2014-0107 | lists.apache.org | ||
| Pony Mail! | lists.apache.org | ||
| Oracle Critical Patch Update - January 2016 | CONFIRM | www.oracle.com | Patch, Vendor Advisory |
| Oracle Critical Patch Update Advisory - April 2019 | MISC | www.oracle.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.