CVE-2022-34169
7.5 HIGHThe Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets
Published: 2022-07-19 · Last updated: 2026-05-27
Severity and scoring
- CVSS
- 7.5 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
- CWE
- CWE-681
Affected products
| Vendor | Product |
|---|---|
| apache | 7-mode_transition_tool, active_iq_unified_manager, cloud_insights_acquisition_unit |
| azul | 7-mode_transition_tool, active_iq_unified_manager, cloud_insights_acquisition_unit |
| debian | 7-mode_transition_tool, active_iq_unified_manager, cloud_insights_acquisition_unit |
| fedoraproject | 7-mode_transition_tool, active_iq_unified_manager, cloud_insights_acquisition_unit |
| netapp | 7-mode_transition_tool, active_iq_unified_manager, cloud_insights_acquisition_unit |
| oracle | 7-mode_transition_tool, active_iq_unified_manager, cloud_insights_acquisition_unit |
Description
The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2022-34169
- [Other]http://packetstormsecurity.com/files/168186/Xalan-J-XSLTC-Integer-Truncation.html
- [Other]http://www.openwall.com/lists/oss-security/2022/07/19/5
- [Other]http://www.openwall.com/lists/oss-security/2022/07/19/6
- [Other]http://www.openwall.com/lists/oss-security/2022/07/20/2
- [Patch]http://www.openwall.com/lists/oss-security/2022/07/20/3
- [Patch]http://www.openwall.com/lists/oss-security/2022/10/18/2
- [Other]http://www.openwall.com/lists/oss-security/2022/11/04/8
- [Other]http://www.openwall.com/lists/oss-security/2022/11/07/2
- [Vendor advisory]https://lists.apache.org/thread/12pxy4phsry6c34x2ol4fft6xlho4kyw
- [Vendor advisory]https://lists.apache.org/thread/2qvl7r43wb4t8p9dd9om1bnkssk07sn8
- [Other]https://lists.debian.org/debian-lts-announce/2022/10/msg00024.html
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H4YNJSJ64NPCNKFPNBYITNZU5H3L4D6L/
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5OZNAZJ4YHLOKRRRZSWRT5OJ25E4XLM/
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JN3EVGR7FD3ZLV5SBTJXUIDCMSK4QUE2/
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KO3DXNKZ4EU3UZBT6AAR4XRKCD73KLMO/
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3XPOTPPBZIPFBZHQE5E7OW6PDACUMCJ/
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YULPNO3PAWMEQQZV2C54I3H3ZOXFZUTB/
- [Other]https://security.gentoo.org/glsa/202401-25
- [Other]https://security.netapp.com/advisory/ntap-20220729-0009/
- [Other]https://security.netapp.com/advisory/ntap-20240621-0006/
- [Other]https://www.debian.org/security/2022/dsa-5188
- [Other]https://www.debian.org/security/2022/dsa-5192
- [Other]https://www.debian.org/security/2022/dsa-5256
- [Patch]https://www.oracle.com/security-alerts/cpujul2022.html
- [Other]http://packetstormsecurity.com/files/168186/Xalan-J-XSLTC-Integer-Truncation.html
- [Other]http://www.openwall.com/lists/oss-security/2022/07/19/5
- [Other]http://www.openwall.com/lists/oss-security/2022/07/19/6
- [Other]http://www.openwall.com/lists/oss-security/2022/07/20/2
- [Patch]http://www.openwall.com/lists/oss-security/2022/07/20/3
- [Patch]http://www.openwall.com/lists/oss-security/2022/10/18/2
- [Other]http://www.openwall.com/lists/oss-security/2022/11/04/8
- [Other]http://www.openwall.com/lists/oss-security/2022/11/07/2
- [Vendor advisory]https://lists.apache.org/thread/12pxy4phsry6c34x2ol4fft6xlho4kyw
- [Vendor advisory]https://lists.apache.org/thread/2qvl7r43wb4t8p9dd9om1bnkssk07sn8
- [Other]https://lists.debian.org/debian-lts-announce/2022/10/msg00024.html
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H4YNJSJ64NPCNKFPNBYITNZU5H3L4D6L/
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5OZNAZJ4YHLOKRRRZSWRT5OJ25E4XLM/
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JN3EVGR7FD3ZLV5SBTJXUIDCMSK4QUE2/
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KO3DXNKZ4EU3UZBT6AAR4XRKCD73KLMO/
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3XPOTPPBZIPFBZHQE5E7OW6PDACUMCJ/
- [Other]https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YULPNO3PAWMEQQZV2C54I3H3ZOXFZUTB/
- [Other]https://security.gentoo.org/glsa/202401-25
- [Other]https://security.netapp.com/advisory/ntap-20220729-0009/
- [Other]https://security.netapp.com/advisory/ntap-20240621-0006/
- [Other]https://www.debian.org/security/2022/dsa-5188
- [Other]https://www.debian.org/security/2022/dsa-5192
- [Other]https://www.debian.org/security/2022/dsa-5256
- [Patch]https://www.oracle.com/security-alerts/cpujul2022.html
Related CVEs
Same vendor
- CVE-2026-50645 — There is no restriction on the amount of attachment headers that a message can contain when being deserialized by Apache CXF, which can l... (7.5 HIGH)
- CVE-2026-50634 — A vulnerability in Apache CXF's JwsJsonContainerRequestFilter can be exploited to cause CXF to process metadata that was not authenticate... (6.5 MEDIUM)
- CVE-2026-50633 — A JNDI Injection vulnerability has been discovered in Apache CXF's JCA integration module, which can allow for code execution, if an atta... (8.1 HIGH)
- CVE-2026-50632 — A further incomplete fix for a previous advisory CVE-2026-44417 (Untrusted JMS configuration can lead to RCE) for Apache CXF has been ide... (8.1 HIGH)
- CVE-2026-50631 — A race condition in AbstractOAuthDataProvider allows concurrent requests using the same Refresh Token to bypass single-use semantics and ... (7.4 HIGH)
Same CWE
- CVE-2026-24192 — NVIDIA Display Driver for Linux contains a vulnerability where an attacker could cause an incorrect conversion between numeric types, lea... (7.8 HIGH)
- CVE-2026-4931 — Smart contract Marginal v1 performs unsafe downcast, allowing attackers to settle a large debt position for a negligible asset cost (6.8 MEDIUM)