Published: 09/03/2015 Updated: 07/11/2023

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

VMScore: 668

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Apache Standard Taglibs prior to 1.2.3 allows remote malicious users to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) <x:parse> or (2) <x:transform> JSTL XML tag.

Vulnerable Product	Search on Vulmon	Subscribe to Product
apache standard taglibs
canonical ubuntu linux 14.10
canonical ubuntu linux 14.04

Debian Bug report logs - #779621 jakarta-taglibs-standard: CVE-2015-0254 Package: jakarta-taglibs-standard; Maintainer for jakarta-taglibs-standard is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Reported by: Moritz Muehlenhoff <jmm@inutilorg> Date: Tue, 3 Mar 2015 07:06:01 UTC Owned by: M ...

Apache Standard Taglibs loaded external XML entities ...

It was found that the Java Standard Tag Library (JSTL) allowed the processing of untrusted XML documents to utilize external entity references, which could access resources on the host system and, potentially, allowing arbitrary code execution ...

NVD-CWE-Other http://packetstormsecurity.com/files/130575/Apache-Standard-Taglibs-1.2.1-XXE-Remote-Command-Execution.html http://www.securityfocus.com/bid/72809 http://mail-archives.apache.org/mod_mbox/tomcat-taglibs-user/201502.mbox/%3C82207A16-6348-4DEE-877E-F7B87292576A%40apache.org%3E http://www.ubuntu.com/usn/USN-2551-1 http://rhn.redhat.com/errata/RHSA-2016-1838.html http://rhn.redhat.com/errata/RHSA-2016-1840.html http://rhn.redhat.com/errata/RHSA-2016-1841.html http://rhn.redhat.com/errata/RHSA-2016-1839.html http://www.securitytracker.com/id/1034934 http://lists.opensuse.org/opensuse-updates/2015-10/msg00033.html http://rhn.redhat.com/errata/RHSA-2015-1695.html http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html https://access.redhat.com/errata/RHSA-2016:1376 http://www.securityfocus.com/archive/1/534772/100/0/threaded https://www.oracle.com/security-alerts/cpuapr2020.html https://www.oracle.com//security-alerts/cpujul2021.html https://lists.apache.org/thread.html/8a20e48acb2a40be5130df91cf9d39d8ad93181989413d4abcaa4914%40%3Cdev.tomcat.apache.org%3E https://lists.apache.org/thread.html/f8e0814e11c7f21f42224b6de111cb3f5e5ab5c15b78924c516d4ec2%40%3Cdev.tomcat.apache.org%3E https://lists.apache.org/thread.html/rfc2bfd99c340dafd501676693cd889c1f9f838b97bdd0776a8f5557d%40%3Cdev.tomcat.apache.org%3E https://lists.apache.org/thread.html/re3b72cbb13e1dfe85c4a06959a3b6ca6d939b407ecca80db12b54220%40%3Cdev.tomcat.apache.org%3E https://lists.apache.org/thread.html/rc1686f6196bb9063bf26577a21b8033c19c1a30e5a9159869c8f3d38%40%3Cpluto-dev.portals.apache.org%3E https://lists.apache.org/thread.html/rf1179e6971bc46f0f68879a9a10cc97ad4424451b0889aeef04c8077%40%3Cpluto-scm.portals.apache.org%3E https://lists.apache.org/thread.html/r6c93d8ade3788dbc00f5a37238bc278e7d859f2446b885460783a16f%40%3Cpluto-dev.portals.apache.org%3E https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779621 https://usn.ubuntu.com/2551-1/https://nvd.nist.gov https://access.redhat.com/security/cve/cve-2015-0254

CVE-2015-0254

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect