Homepage
About Snyk

Arbitrary Class Load Affecting xalan:xalan package, versions [,2.7.2)

0.0
high

Snyk CVSS

    Attack Complexity Low

    Threat Intelligence

    EPSS 0.54% (78th percentile)
Expand this section
NVD
7.3 high
Expand this section
Red Hat
6.3 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-JAVA-XALAN-31385
  • published 6 Jun 2014
  • disclosed 15 Apr 2014
  • credit Unknown
Report a new vulnerability Found a mistake?

Introduced: 15 Apr 2014

CVE-2014-0107 Open this link in a new tab
CWE-264 Open this link in a new tab

How to fix?

Upgrade xalan:xalan to version 2.7.2 or higher.

Overview

xalan:xalan is a XSLT processor for transforming XML documents into HTML, text, or other XML document types. It implements XSL Transformations (XSLT) Version 1.0 and XML Path Language (XPath) Version 1.0 and can be used from the command line, in an applet or a servlet, or as a module in other program.

Affected versions of this package are vulnerable to Arbitrary Class Load. The TransformerFactory in does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted xalan:content-header, xalan:entities, xslt:content-header, xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.