[SECURITY] CVE-2014-0096 Apache Tomcat information disclosure

From: Mark Thomas <markt@apache.org>
To: Tomcat Users List <users@tomcat.apache.org>
Cc: Tomcat Developers List <dev@tomcat.apache.org>,announce@apache.org,announce@tomcat.apache.org,fulldisclosure@seclists.org,bugtraq@securityfocus.com
Subject: [SECURITY] CVE-2014-0096 Apache Tomcat information disclosure

CVE-2014-0096 Information Disclosure

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- Apache Tomcat 8.0.0-RC1 to 8.0.3
- Apache Tomcat 7.0.0 to 7.0.52
- Apache Tomcat 6.0.0 to 6.0.39

The default servlet allows web applications to define (at multiple
levels) an XSLT to be used to format a directory listing. When running
under a security manager, the processing of these was not subject to the
same constraints as the web application. This enabled a malicious web
application to bypass the file access constraints imposed by the
security manager via the use of external XML entities.

Users of affected versions should apply one of the following mitigations
- Upgrade to Apache Tomcat 8.0.5 or later
  (8.0.4 contains the fix but was not released)
- Upgrade to Apache Tomcat 7.0.53 or later
- Upgrade to Apache Tomcat 6.0.41 or later
  (6.0.40 contains the fix but was not released)

This issue was identified by the Tomcat security team.

[1] http://tomcat.apache.org/security-8.html
[2] http://tomcat.apache.org/security-7.html
[3] http://tomcat.apache.org/security-6.html

Copyright © 1995-2021 LinuxRocket.net. All rights reserved.