Vulnerability Details : CVE-2014-0107
The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.
Exploit prediction scoring system (EPSS) score for CVE-2014-0107
Probability of exploitation activity in the next 30 days: 0.54%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 74 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2014-0107
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST |
CWE ids for CVE-2014-0107
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2014-0107
-
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
Oracle Critical Patch Update - January 2016Patch;Vendor Advisory
-
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755
HPSBGN03669 rev.2 - HPE SiteScope, Local Elevation of Privilege, Remote Denial of Service, Arbitrary Code Execution and Cross-Site Request Forgery
-
http://secunia.com/advisories/59247
Sign in
-
http://svn.apache.org/viewvc?view=revision&revision=1581058
[Apache-SVN] Revision 1581058Patch
-
http://secunia.com/advisories/59515
Sign in
-
http://www.ibm.com/support/docview.wss?uid=swg21677967
IBM notice: The page you requested cannot be displayed
-
https://issues.apache.org/jira/browse/XALANJ-2435
[XALANJ-2435] Use of secure processing feature should disable some output properties - ASF JIRA
-
https://www.tenable.com/security/tns-2018-15
[R2] SecurityCenter 5.8.0 Fixes Multiple Third-Party Vulnerabilities - Security Advisory | Tenable®
-
http://www-01.ibm.com/support/docview.wss?uid=swg21676093
IBM Security Bulletin: Security exposure in IBM Cognos Incentive Compensation Management (CVE-2014-0107)
-
https://www.oracle.com//security-alerts/cpujul2021.html
Oracle Critical Patch Update Advisory - July 2021
-
https://security.gentoo.org/glsa/201604-02
Xalan-Java: Arbitrary code execution (GLSA 201604-02) — Gentoo security
-
https://lists.apache.org/thread.html/r2900489bc665a2e32d021bb21f6ce2cb8e6bb5973490eebb9a346bca@%3Cdev.tomcat.apache.org%3E
[Bug 65516] upgrade to xalan 2.7.2 to address CVE-2014-0107 - Pony Mail
-
http://rhn.redhat.com/errata/RHSA-2014-1351.html
RHSA-2014:1351 - Security Advisory - Red Hat Customer Portal
-
http://rhn.redhat.com/errata/RHSA-2014-0348.html
RHSA-2014:0348 - Security Advisory - Red Hat Customer Portal
-
http://www-01.ibm.com/support/docview.wss?uid=swg21677145
IBM Security Bulletin: A vulnerability exists in Apache Xalan-Java prior to 2.7.2 as used in IBM QRadar SIEM 7.1 MR2, and 7.2 MR2. (CVE-2014-0107)
-
http://secunia.com/advisories/59290
Sign in
-
https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E
Pony Mail!
-
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
Oracle Critical Patch Update - October 2017
-
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
Oracle Critical Patch Update - April 2019
-
http://www-01.ibm.com/support/docview.wss?uid=swg21680703
IBM Security Bulletin: Vulnerability exists in Apache-Xalan-Java used in IBM Sterling B2B Integrator and IBM Sterling File Gateway (CVE-2014-0107)
-
http://www.securitytracker.com/id/1034711
Oracle Fusion Middleware Bugs Let Remote Users Access and Modify Data and Remote and Local Users Deny Service - SecurityTracker
-
https://lists.apache.org/thread.html/r0c00afcab8f238562e27b3ae7b8af1913c62bc60838fb8b34c19e26b@%3Cdev.tomcat.apache.org%3E
[Bug 65516] New: upgrade to xalan 2.7.2 to address CVE-2014-0107 - Pony Mail
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/92023
Apache Xalan-Java output properties security bypass CVE-2014-0107 Vulnerability Report
-
http://secunia.com/advisories/59151
Sign in
-
http://www.securityfocus.com/bid/66397
Apache Xalan-Java Library CVE-2014-0107 Security Bypass Vulnerability
-
http://rhn.redhat.com/errata/RHSA-2015-1888.html
RHSA-2015:1888 - Security Advisory - Red Hat Customer Portal
-
http://www-01.ibm.com/support/docview.wss?uid=swg21674334
IBM Security Bulletin: IBM FileNet Business Process Framework is affected by a vulnerability in Apache Xalan-Java (CVE-2014-0107)
-
https://www.oracle.com/security-alerts/cpuoct2021.html
Oracle Critical Patch Update Advisory - October 2021
-
http://secunia.com/advisories/59291
Sign in
-
http://www.debian.org/security/2014/dsa-2886
Debian -- Security Information -- DSA-2886-1 libxalan2-java
-
http://www.securitytracker.com/id/1034716
Oracle WebLogic Multiple Bugs Let Remote Users Access and Modify Data and Deny Service - SecurityTracker
-
https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E
[jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities - Pony Mail
-
http://www.ocert.org/advisories/ocert-2014-002.html
oCERT archiveUS Government Resource
-
http://www-01.ibm.com/support/docview.wss?uid=swg21681933
IBM Security Bulletin: A vulnerability exists in Apache Xalan-Java prior to 2.7.2 as used in IBM Sterling Control Center 5.2 (CVE-2014-0107)
Products affected by CVE-2014-0107
- cpe:2.3:a:apache:xalan-java:*:*:*:*:*:*:*:*
- cpe:2.3:a:apache:xalan-java:2.5.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:xalan-java:2.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:xalan-java:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:xalan-java:2.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:xalan-java:2.2.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:xalan-java:2.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:xalan-java:2.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:xalan-java:2.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:xalan-java:2.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:xalan-java:2.5.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:xalan-java:2.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:xalan-java:2.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:webcenter_sites:11.1.1.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:webcenter_sites:7.6.2:*:*:*:*:*:*:*