CVE-2014-0096

medium

Apache

CVSS v3 Base Score

4.3

AV:N/AC:M/Au:N/C:P/I:N/A:N

EPSS Score

5.8%

Exploitation probability in 30 days

Top 9% most likely to be exploited

Attack Characteristics

Attack Vector

Network

Attack Complexity

Confidentiality

Integrity

None

Availability

None

Published: May 31, 2014 (4367 days ago)

Last Modified: May 6, 2026

Vendor: Apache

Source: NVD

Description

java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

CWE

CWE-264

Affected Products

apache tomcat

References

🔗 advisories.mageia.org 🔗 linux.oracle.com 🔗 lists.fedoraproject.org 🔗 marc.info 🔗 marc.info

CVE-2014-0096

Vulnerability Report

Description

CWE

Affected Products

References