GHSA-9339-86wc-4qgf
Suggest an improvement- Source
- https://github.com/advisories/GHSA-9339-86wc-4qgf
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-9339-86wc-4qgf/GHSA-9339-86wc-4qgf.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-9339-86wc-4qgf
- Aliases
- Published
- 2022-07-20T00:00:18Z
- Modified
- 2024-06-26T05:25:50.787717Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- Apache Xalan Java XSLT library integer truncation issue when processing malicious XSLT stylesheets
- Details
-
The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode.
A fix for this issue was published in September 2022 as part of an anticipated 2.7.3 release.
- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2022-34169
- https://xalan.apache.org
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.debian.org/security/2022/dsa-5256
- https://www.debian.org/security/2022/dsa-5192
- https://www.debian.org/security/2022/dsa-5188
- https://security.netapp.com/advisory/ntap-20240621-0006
- https://security.netapp.com/advisory/ntap-20220729-0009
- https://security.gentoo.org/glsa/202401-25
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YULPNO3PAWMEQQZV2C54I3H3ZOXFZUTB
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L3XPOTPPBZIPFBZHQE5E7OW6PDACUMCJ
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KO3DXNKZ4EU3UZBT6AAR4XRKCD73KLMO
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JN3EVGR7FD3ZLV5SBTJXUIDCMSK4QUE2
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I5OZNAZJ4YHLOKRRRZSWRT5OJ25E4XLM
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H4YNJSJ64NPCNKFPNBYITNZU5H3L4D6L
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YULPNO3PAWMEQQZV2C54I3H3ZOXFZUTB
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3XPOTPPBZIPFBZHQE5E7OW6PDACUMCJ
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KO3DXNKZ4EU3UZBT6AAR4XRKCD73KLMO
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JN3EVGR7FD3ZLV5SBTJXUIDCMSK4QUE2
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5OZNAZJ4YHLOKRRRZSWRT5OJ25E4XLM
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H4YNJSJ64NPCNKFPNBYITNZU5H3L4D6L
- https://lists.debian.org/debian-lts-announce/2022/10/msg00024.html
- https://lists.apache.org/thread/x3f7xv3p1g32qj2hlg8wd57pwcpld471
- https://lists.apache.org/thread/2qvl7r43wb4t8p9dd9om1bnkssk07sn8
- https://lists.apache.org/thread/12pxy4phsry6c34x2ol4fft6xlho4kyw
- https://gitbox.apache.org/repos/asf?p=xalan-java.git;a=commit;h=da3e0d06b467247643ce04e88d3346739d119f21
- https://gitbox.apache.org/repos/asf?p=xalan-java.git;a=commit;h=ab57211e5d2e97cbed06786f919fa9b749c83573
- https://gitbox.apache.org/repos/asf?p=xalan-java.git;a=commit;h=2e60d0a9a5b822c4abf9051857973b1c6babfe81
- https://gitbox.apache.org/repos/asf?p=xalan-java.git
- http://packetstormsecurity.com/files/168186/Xalan-J-XSLTC-Integer-Truncation.html
- http://www.openwall.com/lists/oss-security/2022/07/19/5
- http://www.openwall.com/lists/oss-security/2022/07/19/6
- http://www.openwall.com/lists/oss-security/2022/07/20/2
- http://www.openwall.com/lists/oss-security/2022/07/20/3
- http://www.openwall.com/lists/oss-security/2022/10/18/2
- http://www.openwall.com/lists/oss-security/2022/11/04/8
- http://www.openwall.com/lists/oss-security/2022/11/07/2
Affected packages
Maven / xalan:xalan
Package
- Name
- xalan:xalan
- View open source insights on deps.dev
- Purl
- pkg:maven/xalan/xalan