[jboss-jira] [JBoss JIRA] (WFLY-6416) CVE-2015-0254: XXE and RCE via XSL extension in JSTL XML tags
James Perkins (JIRA)
issues at jboss.org
Wed Jul 20 13:08:00 EDT 2016
[ https://issues.jboss.org/browse/WFLY-6416?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
James Perkins updated WFLY-6416:
--------------------------------
Security Sensitive Issue: This issue is security relevant
> CVE-2015-0254: XXE and RCE via XSL extension in JSTL XML tags
> --------------------------------------------------------------
>
> Key: WFLY-6416
> URL: https://issues.jboss.org/browse/WFLY-6416
> Project: WildFly
> Issue Type: Bug
> Components: XML Frameworks
> Affects Versions: 10.0.0.Final
> Environment: Testing with OpenJDK 1.8.0_73
> Reporter: Jason Shepherd
> Assignee: Tomaz Cerar
> Fix For: 10.1.0.CR1
>
>
> When an application uses <x:parse> or <x:transform> tags to process untrusted XML documents, a request may utilize external entity references to access resources on the host system or utilize XSLT extensions that may allow remote execution.
> Red Hat Flaw bug: https://bugzilla.redhat.com/show_bug.cgi?id=1198606
--
This message was sent by Atlassian JIRA
(v6.4.11#64026)
More information about the jboss-jira
mailing list