CVE-2014-0107 (Medium) detected in xalan-2.7.0.jar

[mend-for-github-com[bot]]

CVE-2014-0107 - Medium Severity Vulnerability

Vulnerable Library - xalan-2.7.0.jar

Path to dependency file: JAVA_DEMO/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/xalan/xalan/2.7.0/xalan-2.7.0.jar,JAVA_DEMO/target/easybuggy-1-SNAPSHOT/WEB-INF/lib/xalan-2.7.0.jar

Dependency Hierarchy: - :x: **xalan-2.7.0.jar** (Vulnerable Library)

Found in HEAD commit: 31e9f6b0e188589908d52f26b2e82abbe719e296

Found in base branch: main

Vulnerability Details

The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.

Publish Date: 2014-04-15

URL: CVE-2014-0107

CVSS 3 Score Details (5.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: N/A - Attack Complexity: N/A - Privileges Required: N/A - User Interaction: N/A - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0107

Release Date: 2014-04-15

Fix Resolution: 2.7.2

---

:rescue_worker_helmet: Automatic Remediation is available for this issue