Table of Contents

Apache Taglibs vulnerabilities

This page lists all security vulnerabilities fixed in released versions of Apache Taglibs. Each vulnerability is given a security impact rating by the Apache Tomcat® security team — please note that this rating may vary from platform to platform. We also list the versions of Apache Taglibs the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.

This page has been created from a review of the Apache Tomcat archives and the CVE list. Please send comments or corrections for these vulnerabilities to the Tomcat Security Team.

20 February 2015 Fixed in Apache Standard Taglib 1.2.3

Important: Information Disclosure CVE-2015-0254

Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a JSTL XML tag.

This issue was identified by the David Jorm of IIX and made public on 27 February 2015.

Affects: All versions prior to 1.2.3