UBUNTU-CVE-2014-0107
- Source
- https://ubuntu.com/security/CVE-2014-0107
- Import Source
- https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2014/UBUNTU-CVE-2014-0107.json
- JSON Data
- https://api.osv.dev/v1/vulns/UBUNTU-CVE-2014-0107
- Related
- Published
- 2014-04-15T00:00:00Z
- Modified
- 2014-04-15T00:00:00Z
- Summary
- [none]
- Details
-
The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURESECUREPROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.
- References
Affected packages
Ubuntu:14.04:LTS / libxalan2-java
Package
- Name
- libxalan2-java
- Purl
- pkg:deb/ubuntu/libxalan2-java?arch=src?distro=trusty
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.7.1-9
Ecosystem specific
{
"availability": "No subscription required",
"ubuntu_priority": "medium",
"binaries": [
{
"binary_version": "2.7.1-9",
"binary_name": "libxalan2-java"
},
{
"binary_version": "2.7.1-9",
"binary_name": "libxalan2-java-doc"
},
{
"binary_version": "2.7.1-9",
"binary_name": "libxsltc-java"
}
]
}