Miggo Logo

CVE-2014-0107: Improper Authorization in Apache Xalan-Java

7.5

CVSS Score

Basic Information

EPSS Score
0.89942%
Published
5/13/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
AV:N/AC:L/Au:N/C:P/I:P/A:P
Package NameEcosystemVulnerable VersionsFirst Patched Version
xalan:xalanmaven< 2.7.22.7.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerable functions are identified by analyzing the patch for CVE-2014-0107. The patch modifies the TransformerFactoryImpl class to properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled. The getAttribute and setAttribute methods are the primary functions that are modified to address the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** Tr*ns*orm*r***tory in *p**** X*l*n-J*v* ***or* *.*.* *o*s not prop*rly r*stri*t ****ss to **rt*in prop*rti*s w**n ***TUR*_S**UR*_PRO**SSIN* is *n**l**, w*i** *llows r*mot* *tt**k*rs to *yp*ss *xp**t** r*stri*tions *n* lo** *r*itr*ry *l*ss*s or **

Reasoning

T** vuln*r**l* *un*tions *r* i**nti*i** *y *n*lyzin* t** p*t** *or *V*-****-****. T** p*t** mo*i*i*s t** Tr*ns*orm*r***toryImpl *l*ss to prop*rly r*stri*t ****ss to **rt*in prop*rti*s w**n ***TUR*_S**UR*_PRO**SSIN* is *n**l**. T** **t*ttri*ut* *n* s*