xalan:xalan@2.3.1 vulnerabilities
-
latest version
2.7.3
-
latest non vulnerable version
-
first published
22 years ago
-
latest version published
2 years ago
-
licenses detected
- [2.1.0,2.4.0)
-
package manager
Direct Vulnerabilities
Known vulnerabilities in the xalan:xalan package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.Vulnerability | Vulnerable Version |
---|---|
xalan:xalan is a XSLT processor for transforming XML documents into HTML, text, or other XML document types. It implements XSL Transformations (XSLT) Version 1.0 and XML Path Language (XPath) Version 1.0 and can be used from the command line, in an applet or a servlet, or as a module in other program. Affected versions of this package are vulnerable to Arbitrary Code Execution when processing malicious XSLT stylesheets, due to an integer truncation issue. This allows attackers to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. NOTE: Fixed releases are not expected for the Apache Xalan project, which is being retired. How to fix Arbitrary Code Execution? Upgrade |
[0,2.7.3)
|
xalan:xalan is a XSLT processor for transforming XML documents into HTML, text, or other XML document types. It implements XSL Transformations (XSLT) Version 1.0 and XML Path Language (XPath) Version 1.0 and can be used from the command line, in an applet or a servlet, or as a module in other program. Affected versions of this package are vulnerable to Arbitrary Class Load. The TransformerFactory in does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted How to fix Arbitrary Class Load? Upgrade |
[,2.7.2)
|