CVE-2014-0107
Description
The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.
Risk Information
Base Score
7.3
MODERATE
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
EPSS Score
Exploitation Probability
6.987
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2014-0107 are fixed in Apache-Xalan-xalan 2.7.2 | Windows |
| Multiple vulnerabilities are affected in Oracle WebLogic Server 7.5 | Windows |
| Multiple Vulnerabilities are affected in IBM Sterling B2B Integrator 5.1 | Windows |
| Multiple Vulnerabilities are affected in IBM UrbanCode Deploy 7.0.3.0 | Windows |
| Multiple Vulnerabilities are affected in IBM UrbanCode Deploy 7.0.4.0 | Windows |
| Multiple Vulnerabilities are affected in IBM Security Guardium 11.1 | Windows |
| Multiple Vulnerabilities are affected in IBM Security Guardium 11.0 | Windows |
| Multiple Vulnerabilities are affected in IBM UrbanCode Deploy 6.2.7.3 | Windows |
| Multiple Vulnerabilities are affected in IBM UrbanCode Deploy 6.2.7.4 | Windows |
| Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.10.5.1 | Windows |
| Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.11.0.1 | Windows |
| Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.11.1 | Windows |
| Multiple Vulnerabilities are affected in IBM Operational Decision Manager 8.12.0 | Windows |
| Multiple Vulnerabilities are affected in IBM Planning Analytics Local 2.0.9.2 | Windows |
| XSL Transformations (XSLT) processor in Java (USN-2218-1) libxsltc-java_2.7.1-7ubuntu0.1_all.deb | Linux |
| XSL Transformations (XSLT) processor in Java (USN-2218-1) libxalan2-java_2.7.1-7ubuntu0.1_all.deb | Linux |
| Xalan-j2 update (CESA-2014:0348) xalan-j2-2.7.0-9.9.el6_5.noarch.rpm | Linux |
| Xalan-j2 update (CESA-2014:0348) xalan-j2-demo-2.7.0-9.9.el6_5.noarch.rpm | Linux |
| Xalan-j2 update (CESA-2014:0348) xalan-j2-xsltc-2.7.0-9.9.el6_5.noarch.rpm | Linux |
| Xalan-j2 update (CESA-2014:0348) xalan-j2-manual-2.7.0-9.9.el6_5.noarch.rpm | Linux |
| Xalan-j2 update (CESA-2014:0348) xalan-j2-javadoc-2.7.0-9.9.el6_5.noarch.rpm | Linux |
| (RHSA-2014:0348) Important: xalan-j2 security update xalan-j2-2.7.0-9.9.el6_5.noarch.rpm | Linux |
| (RHSA-2014:0348) Important: xalan-j2 security update xalan-j2-demo-2.7.0-9.9.el6_5.noarch.rpm | Linux |
| (RHSA-2014:0348) Important: xalan-j2 security update xalan-j2-javadoc-2.7.0-9.9.el6_5.noarch.rpm | Linux |
| (RHSA-2014:0348) Important: xalan-j2 security update xalan-j2-manual-2.7.0-9.9.el6_5.noarch.rpm | Linux |
| (RHSA-2014:0348) Important: xalan-j2 security update xalan-j2-xsltc-2.7.0-9.9.el6_5.noarch.rpm | Linux |
| Xalan-j2 update (ELSA-2014-0348) xalan-j2-2.7.0-9.9.el6_5.noarch.rpm | Linux |
| Xalan-j2-demo update (ELSA-2014-0348) xalan-j2-demo-2.7.0-9.9.el6_5.noarch.rpm | Linux |
| Xalan-j2-javadoc update (ELSA-2014-0348) xalan-j2-javadoc-2.7.0-9.9.el6_5.noarch.rpm | Linux |
| Xalan-j2-manual update (ELSA-2014-0348) xalan-j2-manual-2.7.0-9.9.el6_5.noarch.rpm | Linux |
| Xalan-j2-xsltc update (ELSA-2014-0348) xalan-j2-xsltc-2.7.0-9.9.el6_5.noarch.rpm | Linux |
| Vulnerabilities CVE-2014-0107 are fixed in Apache-Xalan-xalan for Linux 2.7.2 | Linux |
| CVE-2014-0107 | NCM |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234