4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.002 Low
EPSS
Percentile
53.6%
Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6 does
not properly constrain the class loader that accesses the XML parser used
with an XSLT stylesheet, which allows remote attackers to (1) read
arbitrary files via a crafted web application that provides an XML external
entity declaration in conjunction with an entity reference, related to an
XML External Entity (XXE) issue, or (2) read files associated with
different web applications on a single Tomcat instance via a crafted web
application.
Author | Note |
---|---|
mdeslaur | patch is intrusive |