CVE-2022-34169

The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or l...

high 7.5 CVSS 3.1

Published: Jul 19, 2022

Modified: May 27, 2026

Vendor: Apache

Versions: 10.0,11.0,20.3.6,21.3.2,22.1.0,1.7.0,1.8.0,11.0.15.1,17.0.3.1,18.0.1.1

Description

The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.

References

Related CVEs

CVSS Breakdown

Version	3.1
Score	7.5 / 10
Severity	high

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Weakness (CWE)

CWE-681

Affected Product

Vendor	Apache
Product	Xalan-Java
Versions	10.0,11.0,20.3.6,21.3.2,22.1.0,1.7.0,1.8.0,11.0.15.1,17.0.3.1,18.0.1.1