Skip to content

Missing XML Validation in Apache Tomcat

Moderate severity GitHub Reviewed Published May 14, 2022 to the GitHub Advisory Database • Updated Apr 14, 2025

Package

maven org.apache.tomcat:tomcat (Maven)

Affected versions

< 6.0.40
>= 7.0.0, < 7.0.54
>= 8.0.0, < 8.0.6

Patched versions

6.0.40
7.0.54
8.0.6
maven org.apache.tomcat:tomcat-catalina (Maven)
< 6.0.40
>= 7.0.0, < 7.0.54
>= 8.0.0, < 8.0.6
6.0.40
7.0.54
8.0.6
maven org.apache.tomcat:tomcat-jasper (Maven)
< 6.0.40
>= 7.0.0, < 7.0.54
>= 8.0.0, < 8.0.6
6.0.40
7.0.54
8.0.6

Description

Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to (1) read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or (2) read files associated with different web applications on a single Tomcat instance via a crafted web application.

References

Published by the National Vulnerability Database May 31, 2014
Published to the GitHub Advisory Database May 14, 2022
Reviewed Jul 7, 2022
Last updated Apr 14, 2025

Severity

Moderate

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(90th percentile)

Weaknesses

Missing XML Validation

The product accepts XML from an untrusted source but does not validate the XML against the proper schema. Learn more on MITRE.

CVE ID

CVE-2014-0119

GHSA ID

GHSA-prc3-7f44-w48j

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.