GHSA-9339-86wc-4qgf

Suggest an improvement
Source
https://github.com/advisories/GHSA-9339-86wc-4qgf
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-9339-86wc-4qgf/GHSA-9339-86wc-4qgf.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-9339-86wc-4qgf
Aliases
Published
2022-07-20T00:00:18Z
Modified
2024-06-26T05:25:50.787717Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVSS Calculator
Summary
Apache Xalan Java XSLT library integer truncation issue when processing malicious XSLT stylesheets
Details

The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode.

A fix for this issue was published in September 2022 as part of an anticipated 2.7.3 release.

References

Affected packages

Maven / xalan:xalan

Package

Name
xalan:xalan
View open source insights on deps.dev
Purl
pkg:maven/xalan/xalan

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.7.3

Affected versions

2.*

2.1.0
2.3.1
2.4.0
2.4.1
2.5.0
2.5.D1
2.5.1
2.6.0
2.7.0
2.7.1
2.7.2