Path to vulnerable library: /home/wss-scanner/.m2/repository/xalan/xalan/2.7.0/xalan-2.7.0.jar,JAVA_DEMO/target/easybuggy-1-SNAPSHOT/WEB-INF/lib/xalan-2.7.0.jar
The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.
CVE-2014-0107 - Medium Severity Vulnerability
Vulnerable Library - xalan-2.7.0.jar
Path to dependency file: JAVA_DEMO/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/xalan/xalan/2.7.0/xalan-2.7.0.jar,JAVA_DEMO/target/easybuggy-1-SNAPSHOT/WEB-INF/lib/xalan-2.7.0.jar
Dependency Hierarchy: - :x: **xalan-2.7.0.jar** (Vulnerable Library)
Found in HEAD commit: 31e9f6b0e188589908d52f26b2e82abbe719e296
Found in base branch: main
Vulnerability Details
The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.
Publish Date: 2014-04-15
URL: CVE-2014-0107
CVSS 3 Score Details (5.5)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: N/A - Attack Complexity: N/A - Privileges Required: N/A - User Interaction: N/A - Scope: N/A - Impact Metrics: - Confidentiality Impact: N/A - Integrity Impact: N/A - Availability Impact: N/A
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0107
Release Date: 2014-04-15
Fix Resolution: 2.7.2
:rescue_worker_helmet: Automatic Remediation is available for this issue