CVE - CVE-2022-34169

CVE-ID
CVE-2022-34169	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
CONFIRM:https://security.netapp.com/advisory/ntap-20240621-0006/ GENTOO:GLSA-202401-25 URL:https://security.gentoo.org/glsa/202401-25 MISC:DSA-5188 URL:https://www.debian.org/security/2022/dsa-5188 MISC:DSA-5192 URL:https://www.debian.org/security/2022/dsa-5192 MISC:DSA-5256 URL:https://www.debian.org/security/2022/dsa-5256 MISC:FEDORA-2022-19b6f21746 URL:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KO3DXNKZ4EU3UZBT6AAR4XRKCD73KLMO/ MISC:FEDORA-2022-80afe2304a URL:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3XPOTPPBZIPFBZHQE5E7OW6PDACUMCJ/ MISC:FEDORA-2022-ae563934f7 URL:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JN3EVGR7FD3ZLV5SBTJXUIDCMSK4QUE2/ MISC:FEDORA-2022-b76ab52e73 URL:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H4YNJSJ64NPCNKFPNBYITNZU5H3L4D6L/ MISC:FEDORA-2022-d26586b419 URL:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5OZNAZJ4YHLOKRRRZSWRT5OJ25E4XLM/ MISC:FEDORA-2022-e573851f56 URL:https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YULPNO3PAWMEQQZV2C54I3H3ZOXFZUTB/ MISC:[debian-lts-announce] 20221018 [SECURITY] [DLA 3155-1] bcel security update URL:https://lists.debian.org/debian-lts-announce/2022/10/msg00024.html MISC:[oss-security] 20220719 CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets URL:http://www.openwall.com/lists/oss-security/2022/07/19/5 MISC:[oss-security] 20220719 Re: CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets URL:http://www.openwall.com/lists/oss-security/2022/07/19/6 MISC:[oss-security] 20220719 Re: CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets URL:http://www.openwall.com/lists/oss-security/2022/07/20/2 MISC:[oss-security] 20220720 Re: CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets URL:http://www.openwall.com/lists/oss-security/2022/07/20/3 MISC:[oss-security] 20221017 Re: CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets URL:http://www.openwall.com/lists/oss-security/2022/10/18/2 MISC:[oss-security] 20221104 Re: CVE-2022-42920: Apache Commons BCEL prior to 6.6.0 allows producing arbitrary bytecode via out-of-bounds writing URL:http://www.openwall.com/lists/oss-security/2022/11/04/8 MISC:[oss-security] 20221107 Re: CVE-2022-42920: Apache Commons BCEL prior to 6.6.0 allows producing arbitrary bytecode via out-of-bounds writing URL:http://www.openwall.com/lists/oss-security/2022/11/07/2 MISC:http://packetstormsecurity.com/files/168186/Xalan-J-XSLTC-Integer-Truncation.html URL:http://packetstormsecurity.com/files/168186/Xalan-J-XSLTC-Integer-Truncation.html MISC:https://lists.apache.org/thread/12pxy4phsry6c34x2ol4fft6xlho4kyw URL:https://lists.apache.org/thread/12pxy4phsry6c34x2ol4fft6xlho4kyw MISC:https://lists.apache.org/thread/2qvl7r43wb4t8p9dd9om1bnkssk07sn8 URL:https://lists.apache.org/thread/2qvl7r43wb4t8p9dd9om1bnkssk07sn8 MISC:https://security.netapp.com/advisory/ntap-20220729-0009/ URL:https://security.netapp.com/advisory/ntap-20220729-0009/ MISC:https://www.oracle.com/security-alerts/cpujul2022.html URL:https://www.oracle.com/security-alerts/cpujul2022.html
Assigning CNA
Apache Software Foundation
Date Record Created
20220621	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20220621)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)