what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 22 of 22 RSS Feed

CVE-2014-0119

Status Candidate

Overview

Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to (1) read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or (2) read files associated with different web applications on a single Tomcat instance via a crafted web application.

Related Files

Debian Security Advisory 3530-1
Posted Mar 26, 2016
Authored by Debian | Site debian.org

Debian Linux Security Advisory 3530-1 - Multiple security vulnerabilities have been fixed in the Tomcat servlet and JSP engine, which may result on bypass of security manager restrictions, information disclosure, denial of service or session fixation.

tags | advisory, denial of service, vulnerability, info disclosure
systems | linux, debian
advisories | CVE-2013-4286, CVE-2013-4322, CVE-2013-4590, CVE-2014-0033, CVE-2014-0075, CVE-2014-0096, CVE-2014-0099, CVE-2014-0119, CVE-2014-0227, CVE-2014-0230, CVE-2014-7810, CVE-2015-5174, CVE-2015-5345, CVE-2015-5346, CVE-2015-5351, CVE-2016-0706, CVE-2016-0714, CVE-2016-0763
SHA-256 | 77795095ecabfbe0b7faeebcf56310cbe664e59cc59399f4ca8042fe47af5751
HP Security Bulletin HPSBOV03503 1
Posted Oct 16, 2015
Authored by HP | Site hp.com

HP Security Bulletin HPSBOV03503 1 - Potential security vulnerabilities have been identified in HP OpenVMS CSWS_JAVA running Tomcat. These vulnerabilities could be exploited remotely to create a Denial of Service (DoS) and other impacts. Revision 1 of this advisory.

tags | advisory, denial of service, vulnerability
advisories | CVE-2013-4286, CVE-2013-4322, CVE-2013-4444, CVE-2013-4590, CVE-2014-0075, CVE-2014-0096, CVE-2014-0099, CVE-2014-0119, CVE-2014-0230, CVE-2014-0277
SHA-256 | 529c9865f300c4577f0cb1a099b9c6c0dc655e76cec33af6c93b9fc6302c8152
Ubuntu Security Notice USN-2654-1
Posted Jun 25, 2015
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 2654-1 - It was discovered that the Tomcat XML parser incorrectly handled XML External Entities (XXE). A remote attacker could possibly use this issue to read arbitrary files. This issue only affected Ubuntu 14.04 LTS. It was discovered that Tomcat incorrectly handled data with malformed chunked transfer coding. A remote attacker could possibly use this issue to conduct HTTP request smuggling attacks, or cause Tomcat to consume resources, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS. Various other issues were also addressed.

tags | advisory, remote, web, denial of service, arbitrary, xxe
systems | linux, ubuntu
advisories | CVE-2014-0119, CVE-2014-0227, CVE-2014-0230, CVE-2014-7810
SHA-256 | a174f8e325d9828914e2df7525e1cae37224c8bc3844309db620b32444e9b830
Red Hat Security Advisory 2015-0765-01
Posted Apr 1, 2015
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2015-0765-01 - Red Hat JBoss Data Virtualization is a lean data integration solution that provides easy, real-time, and unified data access across disparate sources to multiple applications and users. JBoss Data Virtualization makes data spread across physically distinct systems-such as multiple databases, XML files, and even Hadoop systems-appear as a set of tables in a local database. This roll up patch serves as a cumulative upgrade for Red Hat JBoss Data Virtualization 6.0.0. It includes various bug fixes, which are listed in the README file included with the patch files.

tags | advisory, local
systems | linux, redhat
advisories | CVE-2012-6153, CVE-2013-4002, CVE-2013-5855, CVE-2014-0075, CVE-2014-0096, CVE-2014-0099, CVE-2014-0119, CVE-2014-0193, CVE-2014-0227, CVE-2014-3481, CVE-2014-3490, CVE-2014-3530, CVE-2014-3577
SHA-256 | 812ceadc9b7405e1b74c028dd9bff48d69f0ce6f109bef7f38161627f77360fb
Mandriva Linux Security Advisory 2015-084
Posted Mar 30, 2015
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2015-084 - An updated tomcat package fixes multiple security vulnerabilities.

tags | advisory, vulnerability
systems | linux, mandriva
advisories | CVE-2013-4322, CVE-2013-4590, CVE-2014-0050, CVE-2014-0075, CVE-2014-0096, CVE-2014-0099, CVE-2014-0119, CVE-2014-0227
SHA-256 | 64e66ca878e099d017de20173c80aa4b21ef506d6441fa3365891cde5f40850e
Red Hat Security Advisory 2015-0720-01
Posted Mar 25, 2015
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2015-0720-01 - Red Hat JBoss Fuse Service Works is the next-generation ESB and business process automation infrastructure. This roll up patch serves as a cumulative upgrade for Red Hat JBoss Fuse Service Works 6.0.0. It includes various bug fixes, which are listed in the README file included with the patch files.

tags | advisory
systems | linux, redhat
advisories | CVE-2012-6153, CVE-2013-4002, CVE-2013-5855, CVE-2014-0005, CVE-2014-0075, CVE-2014-0096, CVE-2014-0099, CVE-2014-0119, CVE-2014-0193, CVE-2014-0227, CVE-2014-3472, CVE-2014-3481, CVE-2014-3490, CVE-2014-3530, CVE-2014-3558, CVE-2014-3577, CVE-2014-3578, CVE-2014-3625
SHA-256 | 4ce89b92cfd48ba7281a739aa5bd977c0dd79177e1e4b9ae367ed1deba2659c9
Red Hat Security Advisory 2015-0675-01
Posted Mar 12, 2015
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2015-0675-01 - Red Hat JBoss Data Virtualization is a lean data integration solution that provides easy, real-time, and unified data access across disparate sources to multiple applications and users. JBoss Data Virtualization makes data spread across physically distinct systems such as multiple databases, XML files, and even Hadoop systems appear as a set of tables in a local database. The release of Red Hat JBoss Data Virtualization 6.1.0 serves as a replacement for Red Hat JBoss Data Virtualization 6.0.0. It includes various bug fixes, which are listed in the README file included with the patch files.

tags | advisory, local
systems | linux, redhat
advisories | CVE-2012-6153, CVE-2013-4002, CVE-2013-4517, CVE-2013-5855, CVE-2014-0059, CVE-2014-0075, CVE-2014-0096, CVE-2014-0099, CVE-2014-0119, CVE-2014-0193, CVE-2014-0227, CVE-2014-3481, CVE-2014-3490, CVE-2014-3530, CVE-2014-3577, CVE-2014-3623, CVE-2014-7839, CVE-2014-8122
SHA-256 | a75cda8ec63a5e546176c931f472dd7be9d8e3618cc45e5e9dc28e234143ba38
Mandriva Linux Security Advisory 2015-052
Posted Mar 3, 2015
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2015-052 - Apache Tomcat 7.x before 7.0.47, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request's length and conduct request-smuggling attacks via a Content-Length header and a Transfer-Encoding: chunked header. Apache Tomcat 7.x before 7.0.50 processes chunked transfer coding without properly handling a large total amount of chunked data or whitespace characters in an HTTP header value within a trailer field, which allows remote attackers to cause a denial of service by streaming data. Various otehr issues have also been addressed.

tags | advisory, java, remote, web, denial of service, overflow, arbitrary
systems | linux, mandriva
advisories | CVE-2013-4286, CVE-2013-4322, CVE-2013-4590, CVE-2014-0075, CVE-2014-0096, CVE-2014-0099, CVE-2014-0119, CVE-2014-0227
SHA-256 | 97bbcd6d4926c538ddee85ad3d0f0b44d18269f0be80dd2f5d3003993c58a4a6
Mandriva Linux Security Advisory 2015-053
Posted Mar 3, 2015
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2015-053 - Integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat before 6.0.40 and 7.x before 7.0.53 allows remote attackers to cause a denial of service via a malformed chunk size in chunked transfer coding of a request during the streaming of data. java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40 and 7.x before 7.0.53 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity issue. Various other issues have also been addressed.

tags | advisory, java, remote, web, denial of service, overflow, arbitrary, xxe
systems | linux, mandriva
advisories | CVE-2014-0075, CVE-2014-0096, CVE-2014-0099, CVE-2014-0119, CVE-2014-0227
SHA-256 | fe7dd525200711ca8beef5888a4d5fba2a1e6a655e7bc8d56fb1e925244aad4b
Red Hat Security Advisory 2015-0235-01
Posted Feb 17, 2015
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2015-0235-01 - Red Hat JBoss BRMS is a business rules management system for the management, storage, creation, modification, and deployment of JBoss Rules. This roll up patch serves as a cumulative upgrade for Red Hat JBoss BRMS 6.0.3, and includes bug fixes and enhancements. It includes various bug fixes, which are listed in the README file included with the patch files.

tags | advisory
systems | linux, redhat
advisories | CVE-2012-6153, CVE-2013-4002, CVE-2013-5855, CVE-2014-0005, CVE-2014-0075, CVE-2014-0096, CVE-2014-0099, CVE-2014-0119, CVE-2014-0193, CVE-2014-0227, CVE-2014-3472, CVE-2014-3490, CVE-2014-3530, CVE-2014-3558, CVE-2014-3577, CVE-2014-3578, CVE-2014-3625, CVE-2014-3682, CVE-2014-8114, CVE-2014-8115
SHA-256 | f64f2ca65fbace1e4788ea16f69ecf599345eb34f981247acfbecdcca41d5401
Red Hat Security Advisory 2015-0234-01
Posted Feb 17, 2015
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2015-0234-01 - Red Hat JBoss BPM Suite is a business rules and processes management system for the management, storage, creation, modification, and deployment of JBoss rules and BPMN2-compliant business processes. This roll up patch serves as a cumulative upgrade for Red Hat JBoss BPM Suite 6.0.3, and includes bug fixes and enhancements. It includes various bug fixes, which are listed in the README file included with the patch files.

tags | advisory
systems | linux, redhat
advisories | CVE-2012-6153, CVE-2013-4002, CVE-2013-5855, CVE-2014-0005, CVE-2014-0075, CVE-2014-0096, CVE-2014-0099, CVE-2014-0119, CVE-2014-0193, CVE-2014-0227, CVE-2014-3472, CVE-2014-3490, CVE-2014-3530, CVE-2014-3558, CVE-2014-3577, CVE-2014-3578, CVE-2014-3625, CVE-2014-3682, CVE-2014-8114, CVE-2014-8115
SHA-256 | 89d8125129242bfb26c8918f339b601f902009b742ed74af25c35427a3a89137
Gentoo Linux Security Advisory 201412-29
Posted Dec 15, 2014
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory 201412-29 - Multiple vulnerabilities have been found in Apache Tomcat, the worst of which may result in Denial of Service. Versions less than 7.0.56 are affected.

tags | advisory, denial of service, vulnerability
systems | linux, gentoo
advisories | CVE-2012-2733, CVE-2012-3544, CVE-2012-3546, CVE-2012-4431, CVE-2012-4534, CVE-2012-5885, CVE-2012-5886, CVE-2012-5887, CVE-2013-2067, CVE-2013-2071, CVE-2013-4286, CVE-2013-4322, CVE-2013-4590, CVE-2014-0033, CVE-2014-0050, CVE-2014-0075, CVE-2014-0096, CVE-2014-0099, CVE-2014-0119
SHA-256 | 812d31eb8958cb4cc614f89b209201bd059c54668a58d0182c6f4a98085d268e
HP Security Bulletin HPSBUX03102 SSRT101681
Posted Sep 8, 2014
Authored by HP | Site hp.com

HP Security Bulletin HPSBUX03102 SSRT101681 - Potential security vulnerabilities have been identified with the HP-UX Apache Web Server Suite, Tomcat Servlet Engine, and PHP. These vulnerabilities could be exploited remotely to execute arbitrary code, create a Denial of Service (DoS), or other vulnerabilities. Revision 1 of this advisory.

tags | advisory, web, denial of service, arbitrary, php, vulnerability
systems | hpux
advisories | CVE-2013-6438, CVE-2014-0075, CVE-2014-0096, CVE-2014-0098, CVE-2014-0099, CVE-2014-0119, CVE-2014-0207, CVE-2014-3478, CVE-2014-3479, CVE-2014-3480, CVE-2014-3487, CVE-2014-3515, CVE-2014-3981, CVE-2014-4049
SHA-256 | af8b2d2dc4651b5c40e03e7712d4122b482e686ce4b4e96895b3bb04d657963a
Red Hat Security Advisory 2014-1086-01
Posted Aug 21, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-1086-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector, JBoss HTTP Connector, Hibernate, and the Tomcat Native library. This release serves as a replacement for Red Hat JBoss Web Server 2.0.1, and includes several bug fixes.

tags | advisory, java, web
systems | linux, redhat
advisories | CVE-2013-4590, CVE-2014-0118, CVE-2014-0119, CVE-2014-0221, CVE-2014-0226, CVE-2014-0231
SHA-256 | 1869ac672baeb6d6231ed4264632e0262537ca84832e3d8b68ec845527428f94
Red Hat Security Advisory 2014-1087-01
Posted Aug 21, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-1087-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector, JBoss HTTP Connector, Hibernate, and the Tomcat Native library. This release serves as a replacement for Red Hat JBoss Web Server 2.0.1, and includes several bug fixes.

tags | advisory, java, web
systems | linux, redhat
advisories | CVE-2013-4590, CVE-2014-0118, CVE-2014-0119, CVE-2014-0226, CVE-2014-0231
SHA-256 | 7b43399c8297d76dd46dd0933745d26b4de10eebe9f700a43e687901819a236b
Red Hat Security Advisory 2014-1088-01
Posted Aug 21, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-1088-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector, JBoss HTTP Connector, Hibernate, and the Tomcat Native library. This release serves as a replacement for Red Hat JBoss Web Server 2.0.1, and includes several bug fixes.

tags | advisory, java, web
systems | linux, redhat
advisories | CVE-2013-4590, CVE-2014-0118, CVE-2014-0119, CVE-2014-0226, CVE-2014-0231
SHA-256 | 4da1d3ba75d748e08e95de45e5cf1defc759a9a506037cddf827b73f39496145
Red Hat Security Advisory 2014-1038-01
Posted Aug 11, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-1038-01 - Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. It was found that several application-provided XML files, such as web.xml, content.xml, *.tld, *.tagx, and *.jspx, resolved external entities, permitting XML External Entity attacks. An attacker able to deploy malicious applications to Tomcat could use this flaw to circumvent security restrictions set by the JSM, and gain access to sensitive information on the system. Note that this flaw only affected deployments in which Tomcat is running applications from untrusted sources, such as in a shared hosting environment.

tags | advisory, java, web, xxe
systems | linux, redhat
advisories | CVE-2013-4590, CVE-2014-0119
SHA-256 | 220eef9b77e8329c308283833debe085021b4510cef9b147d1800c2590e7f7da
Red Hat Security Advisory 2014-1034-01
Posted Aug 8, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-1034-01 - Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. It was found that, in certain circumstances, it was possible for a malicious web application to replace the XML parsers used by Apache Tomcat to process XSLTs for the default servlet, JSP documents, tag library descriptors, and tag plug-in configuration files. The injected XML parser could then bypass the limits imposed on XML external entities and/or gain access to the XML files processed for other web applications deployed on the same Apache Tomcat instance.

tags | advisory, java, web, xxe
systems | linux, redhat
advisories | CVE-2014-0119
SHA-256 | 3e502c379842f949aa84688ae16c32c5acda8edbb9f220f665768110cbd1d22b
Red Hat Security Advisory 2014-0895-01
Posted Jul 16, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0895-01 - Red Hat JBoss Data Grid is a distributed in-memory data grid, based on Infinispan. This release of Red Hat JBoss Data Grid 6.3.0 serves as a replacement for Red Hat JBoss Data Grid 6.2.1. It includes various bug fixes and enhancements which are detailed in the Red Hat JBoss Data Grid 6.3.0 Release Notes.

tags | advisory
systems | linux, redhat
advisories | CVE-2014-0058, CVE-2014-0059, CVE-2014-0075, CVE-2014-0096, CVE-2014-0099, CVE-2014-0119
SHA-256 | aeb0b570938a9a6265d4028ddf3b4294b3853a5be7bb3907f9ec1aa0586df308
Red Hat Security Advisory 2014-0843-01
Posted Jul 7, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0843-01 - Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was discovered that JBoss Web did not limit the length of chunk sizes when using chunked transfer encoding. A remote attacker could use this flaw to perform a denial of service attack against JBoss Web by streaming an unlimited quantity of data, leading to excessive consumption of server resources. It was found that JBoss Web did not check for overflowing values when parsing request content length headers. A remote attacker could use this flaw to perform an HTTP request smuggling attack on a JBoss Web server located behind a reverse proxy that processed the content length header correctly.

tags | advisory, java, remote, web, denial of service, overflow
systems | linux, redhat
advisories | CVE-2014-0075, CVE-2014-0096, CVE-2014-0099, CVE-2014-0119
SHA-256 | a6cc1be3f1885282158acec79e328dcd8c345e4b282490b64c738d66a990afb1
Red Hat Security Advisory 2014-0842-01
Posted Jul 7, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0842-01 - Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7. It was discovered that JBoss Web did not limit the length of chunk sizes when using chunked transfer encoding. A remote attacker could use this flaw to perform a denial of service attack against JBoss Web by streaming an unlimited quantity of data, leading to excessive consumption of server resources. It was found that JBoss Web did not check for overflowing values when parsing request content length headers. A remote attacker could use this flaw to perform an HTTP request smuggling attack on a JBoss Web server located behind a reverse proxy that processed the content length header correctly.

tags | advisory, java, remote, web, denial of service, overflow
systems | linux, redhat
advisories | CVE-2014-0075, CVE-2014-0096, CVE-2014-0099, CVE-2014-0119
SHA-256 | 3730ead4d99e94df65ba5aed1ed73050fa6e4d03e8b6d2f9203fd8f685755368
Apache Tomcat XML Parser Information Disclosure
Posted May 30, 2014
Authored by Mark Thomas | Site tomcat.apache.org

In limited circumstances it was possible for a malicious web application to replace the XML parsers used by Tomcat to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs) and tag plugin configuration files. The injected XMl parser(s) could then bypass the limits imposed on XML external entities and/or have visibility of the XML files processed for other web applications deployed on the same Tomcat instance. Versions affected include Apache Tomcat 8.0.0-RC1 to 8.0.5, Apache Tomcat 7.0.0 to 7.0.53, and Apache Tomcat 6.0.0 to 6.0.39.

tags | advisory, web, xxe
advisories | CVE-2014-0119
SHA-256 | b71018c17fe31cadd9009eec7e6aa8baac5fe8224526001717dfff63d30296e6
Page 1 of 1
Back1Next

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close