Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-jf7u-dvpd-b7f4
Vulnerability ID VCID-jf7u-dvpd-b7f4
Aliases CVE-2014-0119
GHSA-prc3-7f44-w48j
Summary Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to (1) read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or (2) read files associated with different web applications on a single Tomcat instance via a crafted web application.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-112 Missing XML Validation
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
System Score Found at
generic_textual MODERATE http://advisories.mageia.org/MGASA-2014-0268.html
generic_textual MODERATE http://marc.info/?l=bugtraq&m=141017844705317&w=2
generic_textual MODERATE http://marc.info/?l=bugtraq&m=144498216801440&w=2
generic_textual MODERATE http://rhn.redhat.com/errata/RHSA-2015-0675.html
generic_textual MODERATE http://rhn.redhat.com/errata/RHSA-2015-0720.html
generic_textual MODERATE http://rhn.redhat.com/errata/RHSA-2015-0765.html
epss 0.04351 https://api.first.org/data/v1/epss?cve=CVE-2014-0119
epss 0.04351 https://api.first.org/data/v1/epss?cve=CVE-2014-0119
epss 0.04351 https://api.first.org/data/v1/epss?cve=CVE-2014-0119
epss 0.04351 https://api.first.org/data/v1/epss?cve=CVE-2014-0119
epss 0.04351 https://api.first.org/data/v1/epss?cve=CVE-2014-0119
epss 0.04351 https://api.first.org/data/v1/epss?cve=CVE-2014-0119
epss 0.04351 https://api.first.org/data/v1/epss?cve=CVE-2014-0119
epss 0.04351 https://api.first.org/data/v1/epss?cve=CVE-2014-0119
epss 0.04351 https://api.first.org/data/v1/epss?cve=CVE-2014-0119
epss 0.04351 https://api.first.org/data/v1/epss?cve=CVE-2014-0119
epss 0.04351 https://api.first.org/data/v1/epss?cve=CVE-2014-0119
epss 0.04351 https://api.first.org/data/v1/epss?cve=CVE-2014-0119
epss 0.04351 https://api.first.org/data/v1/epss?cve=CVE-2014-0119
epss 0.04351 https://api.first.org/data/v1/epss?cve=CVE-2014-0119
apache_tomcat Low https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0119
generic_textual MODERATE http://seclists.org/fulldisclosure/2014/Dec/23
generic_textual MODERATE http://seclists.org/fulldisclosure/2014/May/141
generic_textual MODERATE http://secunia.com/advisories/59732
generic_textual MODERATE http://secunia.com/advisories/59873
generic_textual MODERATE http://secunia.com/advisories/60729
cvssv2 2.1 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-prc3-7f44-w48j
generic_textual MODERATE https://github.com/apache/tomcat
generic_textual MODERATE https://github.com/apache/tomcat80/commit/25251de791a6a7be13f2f3d3a66119a77025272d
generic_textual MODERATE https://github.com/apache/tomcat80/commit/4d90e355dc5ced4c53585c2b4700f71a52d8f447
generic_textual MODERATE https://github.com/apache/tomcat80/commit/51e59532ad4c604f55575963dc7a7f0250cb420f
generic_textual MODERATE https://github.com/apache/tomcat80/commit/69a8a72283c3395ece8b899cf8562e126de97a27
generic_textual MODERATE https://github.com/apache/tomcat80/commit/77e014cef5d5af619bcf77eaebf22c284d420802
generic_textual MODERATE https://github.com/apache/tomcat80/commit/7d33457de5fc5a652a88fb9bbc9ba4cbbda58f04
generic_textual MODERATE https://github.com/apache/tomcat80/commit/d59fd4398c8ae6361e0b13c491f66b51e49a7441
generic_textual MODERATE https://github.com/apache/tomcat/commit/080878ea519d8c74c53721a9ebf7be6fcf6f1f2f
generic_textual MODERATE https://github.com/apache/tomcat/commit/50311bed8d87e452ff0e69838ba312c4fe899b2d
generic_textual MODERATE https://github.com/apache/tomcat/commit/5517c5517e8a7ddb994504f0c5c05001a376b10c
generic_textual MODERATE https://github.com/apache/tomcat/commit/5aae1323c31d643afa9f2db80713b8e97b5123af
generic_textual MODERATE https://github.com/apache/tomcat/commit/6246d8307fb5f2b4ff0b0f4d6d1b0250dff01a81
generic_textual MODERATE https://github.com/apache/tomcat/commit/769477b9bc8442db3f571385fa0c3e206242cbf1
generic_textual MODERATE https://github.com/apache/tomcat/commit/934f884f330dad192d2c5dc950e28f4cd281461b
generic_textual MODERATE https://github.com/apache/tomcat/commit/ad3b34a290a0255d2a4c356a3611ab41ed9d04f5
generic_textual MODERATE https://github.com/apache/tomcat/commit/ce70ee6b8fe437a498a375215011056702b0c481
generic_textual MODERATE https://github.com/apache/tomcat/commit/ebe5c16f18ce1559e8462a94b3876a98525980d2
generic_textual MODERATE https://github.com/apache/tomcat/commit/f8b316acbbf9fabf87cc137e9777e912eda0d834
generic_textual MODERATE https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04851013
generic_textual MODERATE https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2014-0119
generic_textual MODERATE http://svn.apache.org/viewvc?view=revision&revision=1588193
generic_textual MODERATE http://svn.apache.org/viewvc?view=revision&revision=1588199
generic_textual MODERATE http://svn.apache.org/viewvc?view=revision&revision=1589640
generic_textual MODERATE http://svn.apache.org/viewvc?view=revision&revision=1589837
generic_textual MODERATE http://svn.apache.org/viewvc?view=revision&revision=1589980
generic_textual MODERATE http://svn.apache.org/viewvc?view=revision&revision=1589983
generic_textual MODERATE http://svn.apache.org/viewvc?view=revision&revision=1589985
generic_textual MODERATE http://svn.apache.org/viewvc?view=revision&revision=1589990
generic_textual MODERATE http://svn.apache.org/viewvc?view=revision&revision=1589992
generic_textual MODERATE http://svn.apache.org/viewvc?view=revision&revision=1589997
generic_textual MODERATE http://svn.apache.org/viewvc?view=revision&revision=1590028
generic_textual MODERATE http://svn.apache.org/viewvc?view=revision&revision=1590036
generic_textual MODERATE http://svn.apache.org/viewvc?view=revision&revision=1593815
generic_textual MODERATE http://svn.apache.org/viewvc?view=revision&revision=1593821
generic_textual MODERATE http://tomcat.apache.org/security-6.html
generic_textual MODERATE http://tomcat.apache.org/security-7.html
generic_textual MODERATE http://tomcat.apache.org/security-8.html
generic_textual MODERATE http://www-01.ibm.com/support/docview.wss?uid=swg21678231
generic_textual MODERATE http://www-01.ibm.com/support/docview.wss?uid=swg21681528
generic_textual MODERATE http://www.debian.org/security/2016/dsa-3530
generic_textual MODERATE http://www.debian.org/security/2016/dsa-3552
generic_textual MODERATE http://www.mandriva.com/security/advisories?name=MDVSA-2015:052
generic_textual MODERATE http://www.mandriva.com/security/advisories?name=MDVSA-2015:053
generic_textual MODERATE http://www.mandriva.com/security/advisories?name=MDVSA-2015:084
generic_textual MODERATE http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
generic_textual MODERATE http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
generic_textual MODERATE http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
generic_textual MODERATE http://www.securityfocus.com/archive/1/534161/100/0/threaded
generic_textual MODERATE http://www.securityfocus.com/bid/67669
generic_textual MODERATE http://www.securitytracker.com/id/1030298
generic_textual MODERATE http://www.ubuntu.com/usn/USN-2654-1
generic_textual MODERATE http://www.vmware.com/security/advisories/VMSA-2014-0012.html
Reference id Reference type URL
http://advisories.mageia.org/MGASA-2014-0268.html
http://marc.info/?l=bugtraq&m=141017844705317&w=2
http://marc.info/?l=bugtraq&m=144498216801440&w=2
http://rhn.redhat.com/errata/RHSA-2015-0675.html
http://rhn.redhat.com/errata/RHSA-2015-0720.html
http://rhn.redhat.com/errata/RHSA-2015-0765.html
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2014-0119.json
https://api.first.org/data/v1/epss?cve=CVE-2014-0119
http://seclists.org/fulldisclosure/2014/Dec/23
http://seclists.org/fulldisclosure/2014/May/141
http://secunia.com/advisories/59732
http://secunia.com/advisories/59873
http://secunia.com/advisories/60729
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/apache/tomcat
https://github.com/apache/tomcat70/commit/080878ea519d8c74c53721a9ebf7be6fcf6f1f2f
https://github.com/apache/tomcat70/commit/6246d8307fb5f2b4ff0b0f4d6d1b0250dff01a81
https://github.com/apache/tomcat70/commit/934f884f330dad192d2c5dc950e28f4cd281461b
https://github.com/apache/tomcat70/commit/f8b316acbbf9fabf87cc137e9777e912eda0d834
https://github.com/apache/tomcat80/commit/25251de791a6a7be13f2f3d3a66119a77025272d
https://github.com/apache/tomcat80/commit/4d90e355dc5ced4c53585c2b4700f71a52d8f447
https://github.com/apache/tomcat80/commit/51e59532ad4c604f55575963dc7a7f0250cb420f
https://github.com/apache/tomcat80/commit/69a8a72283c3395ece8b899cf8562e126de97a27
https://github.com/apache/tomcat80/commit/77e014cef5d5af619bcf77eaebf22c284d420802
https://github.com/apache/tomcat80/commit/7d33457de5fc5a652a88fb9bbc9ba4cbbda58f04
https://github.com/apache/tomcat80/commit/d59fd4398c8ae6361e0b13c491f66b51e49a7441
https://github.com/apache/tomcat/commit/080878ea519d8c74c53721a9ebf7be6fcf6f1f2f
https://github.com/apache/tomcat/commit/50311bed8d87e452ff0e69838ba312c4fe899b2d
https://github.com/apache/tomcat/commit/5517c5517e8a7ddb994504f0c5c05001a376b10c
https://github.com/apache/tomcat/commit/5aae1323c31d643afa9f2db80713b8e97b5123af
https://github.com/apache/tomcat/commit/6246d8307fb5f2b4ff0b0f4d6d1b0250dff01a81
https://github.com/apache/tomcat/commit/769477b9bc8442db3f571385fa0c3e206242cbf1
https://github.com/apache/tomcat/commit/934f884f330dad192d2c5dc950e28f4cd281461b
https://github.com/apache/tomcat/commit/ad3b34a290a0255d2a4c356a3611ab41ed9d04f5
https://github.com/apache/tomcat/commit/ce70ee6b8fe437a498a375215011056702b0c481
https://github.com/apache/tomcat/commit/ebe5c16f18ce1559e8462a94b3876a98525980d2
https://github.com/apache/tomcat/commit/f8b316acbbf9fabf87cc137e9777e912eda0d834
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04851013
https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
https://svn.apache.org/viewvc?view=rev&rev=1588193
https://svn.apache.org/viewvc?view=rev&rev=1588199
https://svn.apache.org/viewvc?view=rev&rev=1589640
https://svn.apache.org/viewvc?view=rev&rev=1589837
https://svn.apache.org/viewvc?view=rev&rev=1589980
https://svn.apache.org/viewvc?view=rev&rev=1589983
https://svn.apache.org/viewvc?view=rev&rev=1589985
https://svn.apache.org/viewvc?view=rev&rev=1589990
https://svn.apache.org/viewvc?view=rev&rev=1589992
https://svn.apache.org/viewvc?view=rev&rev=1589997
https://svn.apache.org/viewvc?view=rev&rev=1590028
https://svn.apache.org/viewvc?view=rev&rev=1590036
https://svn.apache.org/viewvc?view=rev&rev=1593815
https://svn.apache.org/viewvc?view=rev&rev=1593821
http://svn.apache.org/viewvc?view=revision&revision=1588193
http://svn.apache.org/viewvc?view=revision&revision=1588199
http://svn.apache.org/viewvc?view=revision&revision=1589640
http://svn.apache.org/viewvc?view=revision&revision=1589837
http://svn.apache.org/viewvc?view=revision&revision=1589980
http://svn.apache.org/viewvc?view=revision&revision=1589983
http://svn.apache.org/viewvc?view=revision&revision=1589985
http://svn.apache.org/viewvc?view=revision&revision=1589990
http://svn.apache.org/viewvc?view=revision&revision=1589992
http://svn.apache.org/viewvc?view=revision&revision=1589997
http://svn.apache.org/viewvc?view=revision&revision=1590028
http://svn.apache.org/viewvc?view=revision&revision=1590036
http://svn.apache.org/viewvc?view=revision&revision=1593815
http://svn.apache.org/viewvc?view=revision&revision=1593821
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-8.html
http://www-01.ibm.com/support/docview.wss?uid=swg21678231
http://www-01.ibm.com/support/docview.wss?uid=swg21681528
http://www.debian.org/security/2016/dsa-3530
http://www.debian.org/security/2016/dsa-3552
http://www.mandriva.com/security/advisories?name=MDVSA-2015:052
http://www.mandriva.com/security/advisories?name=MDVSA-2015:053
http://www.mandriva.com/security/advisories?name=MDVSA-2015:084
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
http://www.securityfocus.com/archive/1/534161/100/0/threaded
http://www.securityfocus.com/bid/67669
http://www.securitytracker.com/id/1030298
http://www.ubuntu.com/usn/USN-2654-1
http://www.vmware.com/security/advisories/VMSA-2014-0012.html
1102038 https://bugzilla.redhat.com/show_bug.cgi?id=1102038
CVE-2014-0119 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0119
CVE-2014-0119 https://nvd.nist.gov/vuln/detail/CVE-2014-0119
GHSA-prc3-7f44-w48j https://github.com/advisories/GHSA-prc3-7f44-w48j
GLSA-201412-29 https://security.gentoo.org/glsa/201412-29
RHSA-2014:0842 https://access.redhat.com/errata/RHSA-2014:0842
RHSA-2014:0843 https://access.redhat.com/errata/RHSA-2014:0843
RHSA-2014:0895 https://access.redhat.com/errata/RHSA-2014:0895
RHSA-2014:1034 https://access.redhat.com/errata/RHSA-2014:1034
RHSA-2014:1038 https://access.redhat.com/errata/RHSA-2014:1038
RHSA-2014:1086 https://access.redhat.com/errata/RHSA-2014:1086
RHSA-2014:1087 https://access.redhat.com/errata/RHSA-2014:1087
RHSA-2014:1088 https://access.redhat.com/errata/RHSA-2014:1088
RHSA-2015:0234 https://access.redhat.com/errata/RHSA-2015:0234
RHSA-2015:0235 https://access.redhat.com/errata/RHSA-2015:0235
RHSA-2015:0675 https://access.redhat.com/errata/RHSA-2015:0675
RHSA-2015:0720 https://access.redhat.com/errata/RHSA-2015:0720
RHSA-2015:0765 https://access.redhat.com/errata/RHSA-2015:0765
RHSA-2015:1009 https://access.redhat.com/errata/RHSA-2015:1009
USN-2654-1 https://usn.ubuntu.com/2654-1/
No exploits are available.
Vector: AV:N/AC:H/Au:S/C:P/I:N/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Exploit Prediction Scoring System (EPSS)
Percentile 0.88893
EPSS Score 0.04351
Published At April 1, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:38:13.117291+00:00 Apache Tomcat Importer Import https://tomcat.apache.org/security-8.html 38.0.0