Apache Tomcat XML External Entity Information Disclosure Vulnerability
3 Jul. 2014
Apache Tomcat 8.0.0-RC1 to 8.0.3 , Apache Tomcat 7.0.0 to 7.0.53 and Apache Tomcat 6.0.0 to 6.0.39 is prone to an information-disclosure vulnerability. An attacker can exploit this issue to gain access to sensitive information that may lead to further attacks.
The information has been provided by Tomcat security team.
* Apache Tomcat 8.0.0-RC1 to 8.0.3
* Apache Tomcat 7.0.0 to 7.0.53
* Apache Tomcat 6.0.0 to 6.0.39
* Apache Tomcat later to 8.0.3
* Apache Tomcat later to 7.0.53
* Apache Tomcat later to 6.0.39
Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to (1) read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or (2) read files associated with different web applications on a single Tomcat instance via a crafted web application.