CVE-2014-0119
XML External Entity (XXE) vulnerability in tomcat (Maven)

XML External Entity (XXE) No known exploit Fixable By Resolved Security

What is CVE-2014-0119 About?

Apache Tomcat is vulnerable to XML External Entity (XXE) attacks, allowing remote attackers to read arbitrary files. This occurs due to improper constraint of the class loader accessing the XML parser. Exploitation involves deploying a crafted web application with a malicious XSLT stylesheet.

Affected Software

  • org.apache.tomcat:tomcat
    • >8.0.0, <8.0.6
    • <6.0.40
    • >7.0.0, <7.0.54
  • org.apache.tomcat:tomcat-catalina
    • >8.0.0, <8.0.6
    • <6.0.40
    • >7.0.0, <7.0.54
  • org.apache.tomcat:tomcat-jasper
    • >8.0.0, <8.0.6
    • <6.0.40
    • >7.0.0, <7.0.54

Technical Details

Apache Tomcat versions before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 suffer from an XML External Entity (XXE) vulnerability. The core issue is that Tomcat does not properly constrain the class loader for the XML parser used when processing XSLT stylesheets. This misconfiguration allows a malicious web application, when deployed on Tomcat, to define an XML external entity declaration within an XSLT stylesheet. This external entity can point to local files or other resources. When the XSLT stylesheet is processed, the XML parser resolves the external entity, leading to the inclusion and reading of the content of arbitrary files from the server's file system or even files associated with other web applications on the same Tomcat instance.

What is the Impact of CVE-2014-0119?

Successful exploitation may allow attackers to read arbitrary files from the server's file system, potentially leading to sensitive information disclosure, or read files associated with other web applications on the same server, leading to cross-application data leakage.

What is the Exploitability of CVE-2014-0119?

Exploitation of this XXE vulnerability is of medium complexity. It requires an attacker to deploy a specially crafted web application onto the vulnerable Tomcat instance. This typically implies either prior compromise of the Tomcat management interface or the ability to publish applications. No direct authentication is required for the XXE attack itself once the malicious application is deployed. The attack is remote, initiated by interacting with the deployed web application. Prerequisites include a vulnerable version of Tomcat and the ability to deploy applications. Risk factors include shared hosting environments where untrusted users can deploy applications, or misconfigurations that allow remote deployment.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2014-0119?

A Fix by Resolved Security Exists!

About the Fix from Resolved Security

None

Available Upgrade Options

  • org.apache.tomcat:tomcat-catalina
    • <6.0.40 → Upgrade to 6.0.40
  • org.apache.tomcat:tomcat-catalina
    • >7.0.0, <7.0.54 → Upgrade to 7.0.54
  • org.apache.tomcat:tomcat-catalina
    • >8.0.0, <8.0.6 → Upgrade to 8.0.6
  • org.apache.tomcat:tomcat
    • <6.0.40 → Upgrade to 6.0.40
  • org.apache.tomcat:tomcat
    • >7.0.0, <7.0.54 → Upgrade to 7.0.54
  • org.apache.tomcat:tomcat
    • >8.0.0, <8.0.6 → Upgrade to 8.0.6
  • org.apache.tomcat:tomcat-jasper
    • <6.0.40 → Upgrade to 6.0.40
  • org.apache.tomcat:tomcat-jasper
    • >7.0.0, <7.0.54 → Upgrade to 7.0.54
  • org.apache.tomcat:tomcat-jasper
    • >8.0.0, <8.0.6 → Upgrade to 8.0.6

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2014-0119?

Similar Vulnerabilities: CVE-2017-7656 , CVE-2019-12409 , CVE-2020-1941 , CVE-2020-1935 , CVE-2021-30461

All Rights reserved 2025
Privacy Policy