What is CVE-2014-0107?

CVE-2014-0107 is a vulnerability in Apache Xalan-java, classified under CWE-264. Published 2014-04-15.

Is CVE-2014-0107 known to be exploited?

7 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Apache Xalan-java

CVE-2014-0107

The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary cl…

EPSS: 0.059 (90.8th percentile) — read the EPSS interpretation.

Affected products

Apache Xalan-java — versions 1.0.0, 2.0.0, 2.0.1
Oracle Webcenter_sites — versions 7.6.2, 11.1.1.8.0
N/a — versions n/a

Weakness classification (CWE)

CWE-264

Public proof-of-concept exploits

References

GLSA-201604-02 (vendor-advisory, x_refsource_GENTOO)
59291 (x_refsource_SECUNIA, third-party-advisory)
59290 (x_refsource_SECUNIA, third-party-advisory)
RHSA-2015:1888 (x_refsource_REDHAT, vendor-advisory)
59151 (x_refsource_SECUNIA, third-party-advisory)
59247 (x_refsource_SECUNIA, third-party-advisory)
59515 (x_refsource_SECUNIA, third-party-advisory)
DSA-2886 (vendor-advisory, x_refsource_DEBIAN)
60502 (x_refsource_SECUNIA, third-party-advisory)
59369 (x_refsource_SECUNIA, third-party-advisory)

Frequently asked questions

What is CVE-2014-0107?: CVE-2014-0107 is a vulnerability in Apache Xalan-java, classified under CWE-264. Published 2014-04-15.
Is CVE-2014-0107 known to be exploited?: 7 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.