Main Vulnerability Database SB2016040202

SB2016040202 - Gentoo update for Xalan-Java

Published: April 2, 2016 Updated: April 24, 2025

Security Bulletin ID SB2016040202

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Improper access control (CVE-ID: CVE-2014-0107)

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to TransformerFactory in Apache Xalan-Java does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled. A remote attacker can bypass implemented security restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.

Remediation

Install update from vendor's website.

References

https://security.gentoo.org/glsa/201604-02