Severity
7.5HIGH
EPSS
6.7%
top 8.78%
CISA KEV
Not in KEV
Exploit
No known exploits
Timeline
PublishedJul 19
Latest updateJul 15
Description
The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6
Affected Packages11 packages
Also affects: Debian Linux 10.0, 11.0, Fedora 35, 36
Patches
🔴Vulnerability Details
5OSV▶
Apache Xalan Java XSLT library integer truncation issue when processing malicious XSLT stylesheets↗2022-07-20
GHSA▶
Apache Xalan Java XSLT library integer truncation issue when processing malicious XSLT stylesheets↗2022-07-20
OSV▶
CVE-2022-34169: The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets↗2022-07-19
CVEList▶
Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets↗2022-07-19
📋Vendor Advisories
14Oracle▶
Oracle Oracle Retail Applications Risk Matrix: Mathematical Operators (Apache Xalan-Java) — CVE-2022-34169↗2025-07-15
Oracle▶
Oracle Oracle Financial Services Applications Risk Matrix: Reports (Apache Xalan-Java) — CVE-2022-34169↗2025-01-15
Oracle▶
Oracle Oracle Commerce Risk Matrix: Workbench, Content Acquisition System, Platform Services (Apache Xalan-Java) — CVE-2022-34169↗2024-07-15
Oracle▶
Oracle Oracle Communications Applications Risk Matrix: General (Apache Xalan-Java) — CVE-2022-34169↗2024-04-15
Atlassian▶
CVE-2022-34169: RCE (Remote Code Execution) xalan:xalan Dependency in Jira Software Data Center and Server↗2024-03-19