Miggo Logo

CVE-2014-0096: Improper Input Validation in Apache Tomcat

4.3

CVSS Score

Basic Information

EPSS Score
0.80978%
Published
5/14/2022
Updated
2/22/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
AV:N/AC:M/Au:N/C:P/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.tomcat:tomcatmaven< 6.0.406.0.40
org.apache.tomcat:tomcatmaven>= 7.0.0, < 7.0.547.0.54
org.apache.tomcat:tomcatmaven>= 8.0.0, < 8.0.68.0.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The analysis focused on the changes made to the DefaultServlet class, particularly how XSLT stylesheets are processed and how external entities are handled. The vulnerable function is identified as findXsltInputStream (and its variants) because it was directly modified to address the XXE vulnerability. The secureXslt method and SecureEntityResolver class are part of the mitigation and are not vulnerable themselves but are crucial in preventing the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

j*v*/or*/*p****/**t*lin*/s*rvl*ts/****ultS*rvl*t.j*v* in t** ****ult s*rvl*t in *p**** Tom**t ***or* *.*.**, *.x ***or* *.*.**, *n* *.x ***or* *.*.* *o*s not prop*rly r*stri*t XSLT styl*s***ts, w*i** *llows r*mot* *tt**k*rs to *yp*ss s**urity-m*n***r

Reasoning

T** *n*lysis *o*us** on t** ***n**s m*** to t** `****ultS*rvl*t` *l*ss, p*rti*ul*rly *ow XSLT styl*s***ts *r* pro**ss** *n* *ow *xt*rn*l *ntiti*s *r* **n*l**. T** vuln*r**l* *un*tion is i**nti*i** *s `*in*XsltInputStr**m` (*n* its v*ri*nts) ****us* i