Arbitrary Code Execution Affecting xalan:xalan package, versions [0,2.7.3)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-XALAN-2953385
- published 20 Jul 2022
- disclosed 20 Jul 2022
- credit Felix Wilhelm
Introduced: 20 Jul 2022
CVE-2022-34169 Open this link in a new tabHow to fix?
Upgrade xalan:xalan to version 2.7.3 or higher.
Overview
xalan:xalan is a XSLT processor for transforming XML documents into HTML, text, or other XML document types. It implements XSL Transformations (XSLT) Version 1.0 and XML Path Language (XPath) Version 1.0 and can be used from the command line, in an applet or a servlet, or as a module in other program.
Affected versions of this package are vulnerable to Arbitrary Code Execution when processing malicious XSLT stylesheets, due to an integer truncation issue. This allows attackers to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode.
NOTE: Fixed releases are not expected for the Apache Xalan project, which is being retired.