Fixed in Apache Tomcat 8.0.8

Note: The issue below was fixed in Apache Tomcat 8.0.6 but the release votes for the 8.0.6 and 8.0.7 release candidates did not pass. Therefore, although users must download 8.0.8 to obtain a version that includes a fix for this issue, versions 8.0.6 and 8.0.7 are not included in the list of affected versions.

Low: Information Disclosure CVE-2014-0119

In limited circumstances it was possible for a malicious web application to replace the XML parsers used by Tomcat to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs) and tag plugin configuration files. The injected XML parser(s) could then bypass the limits imposed on XML external entities and/or have visibility of the XML files processed for other web applications deployed on the same Tomcat instance.

This was fixed in revisions 1588193, 1589837, 1589980, 1589983, 1589985, 1589990 and 1589992.

This issue was identified by the Tomcat security team on 12 April 2014 and made public on 27 May 2014.

Affects: 8.0.0-RC1 to 8.0.5