Arbitrary Class Load Affecting xalan:xalan package, versions [,2.7.2)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-XALAN-31385
- published 6 Jun 2014
- disclosed 15 Apr 2014
- credit Unknown
Introduced: 15 Apr 2014
CVE-2014-0107 Open this link in a new tabHow to fix?
Upgrade xalan:xalan to version 2.7.2 or higher.
Overview
xalan:xalan is a XSLT processor for transforming XML documents into HTML, text, or other XML document types. It implements XSL Transformations (XSLT) Version 1.0 and XML Path Language (XPath) Version 1.0 and can be used from the command line, in an applet or a servlet, or as a module in other program.
Affected versions of this package are vulnerable to Arbitrary Class Load. The TransformerFactory in does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted xalan:content-header, xalan:entities, xslt:content-header, xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.