xalan:xalan 2.7.0

Direct Vulnerabilities

Known vulnerabilities in the xalan:xalan package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
C Arbitrary Code Execution xalan:xalan is a XSLT processor for transforming XML documents into HTML, text, or other XML document types. It implements XSL Transformations (XSLT) Version 1.0 and XML Path Language (XPath) Version 1.0 and can be used from the command line, in an applet or a servlet, or as a module in other program. Affected versions of this package are vulnerable to Arbitrary Code Execution when processing malicious XSLT stylesheets, due to an integer truncation issue. This allows attackers to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. How to fix Arbitrary Code Execution? Upgrade `xalan:xalan` to version 2.7.3 or higher.	[0,2.7.3)
H Arbitrary Class Load xalan:xalan is a XSLT processor for transforming XML documents into HTML, text, or other XML document types. It implements XSL Transformations (XSLT) Version 1.0 and XML Path Language (XPath) Version 1.0 and can be used from the command line, in an applet or a servlet, or as a module in other program. Affected versions of this package are vulnerable to Arbitrary Class Load. The TransformerFactory in does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted `xalan:content-header`, `xalan:entities`, `xslt:content-header`, `xslt:entities` property, or a Java property that is bound to the XSLT 1.0 system-property function. How to fix Arbitrary Class Load? Upgrade `xalan:xalan` to version 2.7.2 or higher.	[,2.7.2)

Vulnerability

Vulnerable Version

Arbitrary Code Execution

xalan:xalan is a XSLT processor for transforming XML documents into HTML, text, or other XML document types. It implements XSL Transformations (XSLT) Version 1.0 and XML Path Language (XPath) Version 1.0 and can be used from the command line, in an applet or a servlet, or as a module in other program.

Affected versions of this package are vulnerable to Arbitrary Code Execution when processing malicious XSLT stylesheets, due to an integer truncation issue. This allows attackers to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode.

How to fix Arbitrary Code Execution?

Upgrade xalan:xalan to version 2.7.3 or higher.

[0,2.7.3)

Arbitrary Class Load

Affected versions of this package are vulnerable to Arbitrary Class Load. The TransformerFactory in does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted xalan:content-header, xalan:entities, xslt:content-header, xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.

How to fix Arbitrary Class Load?

Upgrade xalan:xalan to version 2.7.2 or higher.

[,2.7.2)

xalan:xalan@2.7.0

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically