CVE-2022-34169 – xalan:xalan

Package

Manager: maven
Name: xalan:xalan
Vulnerable Version: >=0 <2.7.3

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:H/SA:N

EPSS: 0.08073 pctl0.918

Details

Apache Xalan Java XSLT library integer truncation issue when processing malicious XSLT stylesheets The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. A fix for this issue was published in September 2022 as part of an anticipated 2.7.3 release.

Metadata

Created: 2022-07-20T00:00:18Z
Modified: 2024-06-24T21:23:11Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-9339-86wc-4qgf/GHSA-9339-86wc-4qgf.json
CWE IDs: ["CWE-681"]
Alternative ID: GHSA-9339-86wc-4qgf
Finding: F113
Auto approve: 1