Lucene search

K
cveApacheCVE-2022-34169
HistoryJul 19, 2022 - 6:15 p.m.

CVE-2022-34169

2022-07-1918:15:11
CWE-681
apache
web.nvd.nist.gov
483
22
apache
xalan
java
xslt
library
integer truncation
vulnerability
malicious
stylesheets
java bytecode
update
nvd
cve-2022-34169

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

8

Confidence

High

EPSS

0.002

Percentile

53.3%

The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.

Affected configurations

Nvd
Vulners
Node
apachexalan-javaRange2.7.2
Node
debiandebian_linuxMatch10.0
OR
debiandebian_linuxMatch11.0
Node
oraclegraalvmMatch20.3.6enterprise
OR
oraclegraalvmMatch21.3.2enterprise
OR
oraclegraalvmMatch22.1.0enterprise
OR
oraclejdkMatch1.7.0update343
OR
oraclejdkMatch1.8.0update333
OR
oraclejdkMatch11.0.15.1
OR
oraclejdkMatch17.0.3.1
OR
oraclejdkMatch18.0.1.1
OR
oraclejreMatch1.7.0update343
OR
oraclejreMatch1.8.0update333
OR
oraclejreMatch11.0.15.1
OR
oraclejreMatch17.0.3.1
OR
oraclejreMatch18.0.1.1
Node
oracleopenjdkRange1111.0.15
OR
oracleopenjdkRange1313.0.11
OR
oracleopenjdkRange1515.0.7
OR
oracleopenjdkRange1717.0.3
OR
oracleopenjdkMatch7-
OR
oracleopenjdkMatch7update1
OR
oracleopenjdkMatch7update10
OR
oracleopenjdkMatch7update101
OR
oracleopenjdkMatch7update11
OR
oracleopenjdkMatch7update111
OR
oracleopenjdkMatch7update121
OR
oracleopenjdkMatch7update13
OR
oracleopenjdkMatch7update131
OR
oracleopenjdkMatch7update141
OR
oracleopenjdkMatch7update15
OR
oracleopenjdkMatch7update151
OR
oracleopenjdkMatch7update161
OR
oracleopenjdkMatch7update17
OR
oracleopenjdkMatch7update171
OR
oracleopenjdkMatch7update181
OR
oracleopenjdkMatch7update191
OR
oracleopenjdkMatch7update2
OR
oracleopenjdkMatch7update201
OR
oracleopenjdkMatch7update21
OR
oracleopenjdkMatch7update211
OR
oracleopenjdkMatch7update221
OR
oracleopenjdkMatch7update231
OR
oracleopenjdkMatch7update241
OR
oracleopenjdkMatch7update25
OR
oracleopenjdkMatch7update251
OR
oracleopenjdkMatch7update261
OR
oracleopenjdkMatch7update271
OR
oracleopenjdkMatch7update281
OR
oracleopenjdkMatch7update291
OR
oracleopenjdkMatch7update3
OR
oracleopenjdkMatch7update301
OR
oracleopenjdkMatch7update311
OR
oracleopenjdkMatch7update321
OR
oracleopenjdkMatch7update4
OR
oracleopenjdkMatch7update40
OR
oracleopenjdkMatch7update45
OR
oracleopenjdkMatch7update5
OR
oracleopenjdkMatch7update51
OR
oracleopenjdkMatch7update55
OR
oracleopenjdkMatch7update6
OR
oracleopenjdkMatch7update60
OR
oracleopenjdkMatch7update65
OR
oracleopenjdkMatch7update67
OR
oracleopenjdkMatch7update7
OR
oracleopenjdkMatch7update72
OR
oracleopenjdkMatch7update76
OR
oracleopenjdkMatch7update80
OR
oracleopenjdkMatch7update85
OR
oracleopenjdkMatch7update9
OR
oracleopenjdkMatch7update91
OR
oracleopenjdkMatch7update95
OR
oracleopenjdkMatch7update97
OR
oracleopenjdkMatch7update99
OR
oracleopenjdkMatch8-
OR
oracleopenjdkMatch8milestone1
OR
oracleopenjdkMatch8milestone2
OR
oracleopenjdkMatch8milestone3
OR
oracleopenjdkMatch8milestone4
OR
oracleopenjdkMatch8milestone5
OR
oracleopenjdkMatch8milestone6
OR
oracleopenjdkMatch8milestone7
OR
oracleopenjdkMatch8milestone8
OR
oracleopenjdkMatch8milestone9
OR
oracleopenjdkMatch8update101
OR
oracleopenjdkMatch8update102
OR
oracleopenjdkMatch8update11
OR
oracleopenjdkMatch8update111
OR
oracleopenjdkMatch8update112
OR
oracleopenjdkMatch8update121
OR
oracleopenjdkMatch8update131
OR
oracleopenjdkMatch8update141
OR
oracleopenjdkMatch8update151
OR
oracleopenjdkMatch8update152
OR
oracleopenjdkMatch8update161
OR
oracleopenjdkMatch8update162
OR
oracleopenjdkMatch8update171
OR
oracleopenjdkMatch8update172
OR
oracleopenjdkMatch8update181
OR
oracleopenjdkMatch8update191
OR
oracleopenjdkMatch8update192
OR
oracleopenjdkMatch8update20
OR
oracleopenjdkMatch8update201
OR
oracleopenjdkMatch8update202
OR
oracleopenjdkMatch8update211
OR
oracleopenjdkMatch8update212
OR
oracleopenjdkMatch8update221
OR
oracleopenjdkMatch8update222
OR
oracleopenjdkMatch8update231
OR
oracleopenjdkMatch8update232
OR
oracleopenjdkMatch8update241
OR
oracleopenjdkMatch8update242
OR
oracleopenjdkMatch8update25
OR
oracleopenjdkMatch8update252
OR
oracleopenjdkMatch8update262
OR
oracleopenjdkMatch8update271
OR
oracleopenjdkMatch8update281
OR
oracleopenjdkMatch8update282
OR
oracleopenjdkMatch8update291
OR
oracleopenjdkMatch8update301
OR
oracleopenjdkMatch8update302
OR
oracleopenjdkMatch8update31
OR
oracleopenjdkMatch8update312
OR
oracleopenjdkMatch8update322
OR
oracleopenjdkMatch8update332
OR
oracleopenjdkMatch8update40
OR
oracleopenjdkMatch8update45
OR
oracleopenjdkMatch8update5
OR
oracleopenjdkMatch8update51
OR
oracleopenjdkMatch8update60
OR
oracleopenjdkMatch8update65
OR
oracleopenjdkMatch8update66
OR
oracleopenjdkMatch8update71
OR
oracleopenjdkMatch8update72
OR
oracleopenjdkMatch8update73
OR
oracleopenjdkMatch8update74
OR
oracleopenjdkMatch8update77
OR
oracleopenjdkMatch8update91
OR
oracleopenjdkMatch8update92
OR
oracleopenjdkMatch18
Node
fedoraprojectfedoraMatch35
OR
fedoraprojectfedoraMatch36
Node
netapp7-mode_transition_toolMatch-
OR
netappactive_iq_unified_managerMatch-vmware_vsphere
OR
netappactive_iq_unified_managerMatch-windows
OR
netappcloud_insights_acquisition_unitMatch-
OR
netappcloud_secure_agentMatch-
OR
netapphci_management_nodeMatch-
OR
netapponcommand_insightMatch-
OR
netappsolidfireMatch-
OR
netapphci_compute_nodeMatch-
Node
azulzuluMatch6.47
OR
azulzuluMatch7.54
OR
azulzuluMatch8.62
OR
azulzuluMatch11.56
OR
azulzuluMatch13.48
OR
azulzuluMatch15.40
OR
azulzuluMatch17.34
OR
azulzuluMatch18.30
VendorProductVersionCPE
apachexalan-java*cpe:2.3:a:apache:xalan-java:*:*:*:*:*:*:*:*
debiandebian_linux10.0cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
debiandebian_linux11.0cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
oraclegraalvm20.3.6cpe:2.3:a:oracle:graalvm:20.3.6:*:*:*:enterprise:*:*:*
oraclegraalvm21.3.2cpe:2.3:a:oracle:graalvm:21.3.2:*:*:*:enterprise:*:*:*
oraclegraalvm22.1.0cpe:2.3:a:oracle:graalvm:22.1.0:*:*:*:enterprise:*:*:*
oraclejdk1.7.0cpe:2.3:a:oracle:jdk:1.7.0:update343:*:*:*:*:*:*
oraclejdk1.8.0cpe:2.3:a:oracle:jdk:1.8.0:update333:*:*:*:*:*:*
oraclejdk11.0.15.1cpe:2.3:a:oracle:jdk:11.0.15.1:*:*:*:*:*:*:*
oraclejdk17.0.3.1cpe:2.3:a:oracle:jdk:17.0.3.1:*:*:*:*:*:*:*
Rows per page:
1-10 of 1561

CNA Affected

[
  {
    "product": "Apache Xalan-J",
    "vendor": "Apache Software Foundation",
    "versions": [
      {
        "lessThanOrEqual": "2.7.2",
        "status": "affected",
        "version": "Xalan-J",
        "versionType": "custom"
      }
    ]
  }
]

References

Social References

More

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

AI Score

8

Confidence

High

EPSS

0.002

Percentile

53.3%