CVE-2015-0254

Description

Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) <x:parse> or (2) <x:transform> JSTL XML tag.

How to fix CVE-2015-0254

To remediate CVE-2015-0254, upgrade the affected package to a fixed version below.

• Maven/org.apache.taglibs:taglibs-standard—upgrade to 1.2.3 or later
• Maven/org.apache.taglibs:taglibs-standard-impl—upgrade to 1.2.3 or later

Is CVE-2015-0254 being exploited?

Low — EPSS is 3.8%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• from 0, < 1.2.3
• from 0, < 1.2.3

References (23)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2015-0254
• WEBlists.opensuse.org/opensuse-updates/2015-10/msg00033.html
• WEBmail-archives.apache.org/mod_mbox/tomcat-taglibs-user/201502.mbox/%3C82207A16-6348-4DEE-877E-F7B87292576A%40apache.org%3E
• WEBpacketstormsecurity.com