xalan:xalan@2.6.0 vulnerabilities

latest version

2.7.3
latest non vulnerable version

2.7.3
first published

22 years ago
latest version published

2 years ago
licenses detected
- Apache-2.0
  [2.6.0,)
package manager

View on Maven Repository

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the xalan:xalan package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability Vulnerable Version

Vulnerability	Vulnerable Version
C Arbitrary Code Execution xalan:xalan is a XSLT processor for transforming XML documents into HTML, text, or other XML document types. It implements XSL Transformations (XSLT) Version 1.0 and XML Path Language (XPath) Version 1.0 and can be used from the command line, in an applet or a servlet, or as a module in other program. Affected versions of this package are vulnerable to Arbitrary Code Execution when processing malicious XSLT stylesheets, due to an integer truncation issue. This allows attackers to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. NOTE: Fixed releases are not expected for the Apache Xalan project, which is being retired. How to fix Arbitrary Code Execution? Upgrade `xalan:xalan` to version 2.7.3 or higher.	[0,2.7.3)
H Arbitrary Class Load xalan:xalan is a XSLT processor for transforming XML documents into HTML, text, or other XML document types. It implements XSL Transformations (XSLT) Version 1.0 and XML Path Language (XPath) Version 1.0 and can be used from the command line, in an applet or a servlet, or as a module in other program. Affected versions of this package are vulnerable to Arbitrary Class Load. The TransformerFactory in does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted `xalan:content-header`, `xalan:entities`, `xslt:content-header`, `xslt:entities` property, or a Java property that is bound to the XSLT 1.0 system-property function. How to fix Arbitrary Class Load? Upgrade `xalan:xalan` to version 2.7.2 or higher.	[,2.7.2)

Arbitrary Code Execution

xalan:xalan is a XSLT processor for transforming XML documents into HTML, text, or other XML document types. It implements XSL Transformations (XSLT) Version 1.0 and XML Path Language (XPath) Version 1.0 and can be used from the command line, in an applet or a servlet, or as a module in other program.

Affected versions of this package are vulnerable to Arbitrary Code Execution when processing malicious XSLT stylesheets, due to an integer truncation issue. This allows attackers to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode.

NOTE: Fixed releases are not expected for the Apache Xalan project, which is being retired.

How to fix Arbitrary Code Execution?

Upgrade xalan:xalan to version 2.7.3 or higher.

[0,2.7.3)

Arbitrary Class Load

Affected versions of this package are vulnerable to Arbitrary Class Load. The TransformerFactory in does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted xalan:content-header, xalan:entities, xslt:content-header, xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.

How to fix Arbitrary Class Load?

Upgrade xalan:xalan to version 2.7.2 or higher.

[,2.7.2)

Go back to all versions of this package

xalan:xalan@2.6.0 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities