|Apache Tomcat before 6.0.40, 7.x before 7.0.54, and 8.x before 8.0.6
does not properly constrain the class loader that accesses the XML
parser used with an XSLT stylesheet, which allows remote attackers to
(1) read arbitrary files via a crafted web application that provides
an XML external entity declaration in conjunction with an entity
reference, related to an XML External Entity (XXE) issue, or (2) read
files associated with different web applications on a single Tomcat
instance via a crafted web application.