7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.002 Low
EPSS
Percentile
52.6%
The Apache Xalan Java XSLT library is vulnerable to an integer truncation
issue when processing malicious XSLT stylesheets. This can be used to
corrupt Java class files generated by the internal XSLTC compiler and
execute arbitrary Java bytecode. Users are recommended to update to version
2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged
copies of Xalan.
Author | Note |
---|---|
leosilva | bug is mostly in bcel and java. There is no fix in xalan what leosilva> it seems. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | libxalan2-java | < any | UNKNOWN |
ubuntu | 20.04 | noarch | libxalan2-java | < any | UNKNOWN |
ubuntu | 22.04 | noarch | libxalan2-java | < any | UNKNOWN |
ubuntu | 23.10 | noarch | libxalan2-java | < any | UNKNOWN |
ubuntu | 14.04 | noarch | libxalan2-java | < any | UNKNOWN |
ubuntu | 16.04 | noarch | libxalan2-java | < any | UNKNOWN |
ubuntu | 18.04 | noarch | openjdk-17 | < 17.0.4+8-1~18.04 | UNKNOWN |
ubuntu | 20.04 | noarch | openjdk-17 | < 17.0.4+8-1~20.04 | UNKNOWN |
ubuntu | 22.04 | noarch | openjdk-17 | < 17.0.4+8-1~22.04 | UNKNOWN |
ubuntu | 22.10 | noarch | openjdk-17 | < 17.0.4+8-1 | UNKNOWN |
github.com/openjdk/jdk/commit/41ef2b249073450172e11163a4d05762364b1297
launchpad.net/bugs/cve/CVE-2022-34169
lists.apache.org/thread/12pxy4phsry6c34x2ol4fft6xlho4kyw
lists.apache.org/thread/2qvl7r43wb4t8p9dd9om1bnkssk07sn8
marc.info/?l=oss-security&m=165825217622132
nvd.nist.gov/vuln/detail/CVE-2022-34169
openjdk.org/groups/vulnerability/advisories/2022-07-19
security-tracker.debian.org/tracker/CVE-2022-34169
ubuntu.com/security/notices/USN-5546-1
ubuntu.com/security/notices/USN-5546-2
www.cve.org/CVERecord?id=CVE-2022-34169
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.002 Low
EPSS
Percentile
52.6%