CVE-2015-0254: High severity apache standard taglibs vulnerability
Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) <x:parse> or (2) <x:transform> JSTL XML tag.
Other sources
Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1)<x:parse> or (2)<x:transform> JSTL XML tag.
— IBM
The following flaw was found in Apache Standard Taglibs:
When an application uses <x:parse> or <x:transform> tags to process untrusted XML documents, a request may utilize external entity references to access resources on the host system or utilize XSLT extensions that may allow remote execution.
Upstream announcement:
https://mail-archives.apache.org/modmbox/www-announce/201502.mbox/%3C82207A16-6348-4DEE-877E-F7B87292576A%40apache.org%3E
— Red Hat
Affected Software
Event History
Frequently Asked Questions
What is CVE-2015-0254?
CVE-2015-0254 is a vulnerability in Apache Standard Taglibs that allows remote attackers to execute arbitrary code or conduct XML External Entity Injection (XXE) attacks.
How does CVE-2015-0254 affect the system?
CVE-2015-0254 allows an attacker to execute arbitrary code on the system by exploiting an XXE error when processing XML data.
Which software versions are affected by CVE-2015-0254?
The Apache Standard Taglibs versions up to and including 1.2.3 are affected by CVE-2015-0254.
What is the severity of CVE-2015-0254?
CVE-2015-0254 has a severity rating of high.
How can I fix CVE-2015-0254?
To fix CVE-2015-0254, you should update the Apache Standard Taglibs to version 1.2.3 or higher, or apply the necessary patches provided by the vendor.