CVE-2022-34169

HIGH7.5EPSS 11.0%

Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets

Published: 7/20/2022Modified: 4/28/2026

Also known as:DEBIAN-CVE-2022-34169

Description

The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.

Affected packages (9)

Bitnami/java>= 1.8.0-333, <= 1.8.0-333, >= 11.0.15-1, <= 11.0.15-1, >= 17.0.3-1, <= 17.0.3-1
Bitnami/java-min>= 1.8.0-333, <= 1.8.0-333, >= 11.0.15-1, <= 11.0.15-1, >= 17.0.3-1, <= 17.0.3-1
Bitnami/jre>= 1.8.0-333, <= 1.8.0-333, >= 11.0.15-1, <= 11.0.15-1, >= 17.0.3-1, <= 17.0.3-1
Debian/bcelfrom 0, < 6.2-1+deb10u1
Debian/bcelfrom 0, < 6.5.0-1+deb11u1
Debian/bcelfrom 0, < 6.5.0-1+deb11u1
Debian/openjdk-11from 0, < 11.0.16+8-1~deb11u1
Debian/openjdk-17from 0, < 17.0.4+8-1~deb11u1
Maven/xalan:xalanfrom 0, < 2.7.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Description

Affected packages (9)

CVSS scores

References (46)