CVE-2022-34169

Опубликовано: 19 июл. 2022

Источник: nvd

CVSS3: 7.5

EPSS Низкий

Описание

The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.

Ссылки

http://packetstormsecurity.com/files/168186/Xalan-J-XSLTC-Integer-Truncation.html
Third Party Advisory
VDB Entry
http://www.openwall.com/lists/oss-security/2022/07/19/5
Mailing List
Third Party Advisory
http://www.openwall.com/lists/oss-security/2022/07/19/6
Mailing List
Third Party Advisory
http://www.openwall.com/lists/oss-security/2022/07/20/2
Mailing List
Third Party Advisory
http://www.openwall.com/lists/oss-security/2022/07/20/3
Mailing List
Patch
Third Party Advisory
http://www.openwall.com/lists/oss-security/2022/10/18/2
Mailing List
Patch
Third Party Advisory
http://www.openwall.com/lists/oss-security/2022/11/04/8
Mailing List
Third Party Advisory
http://www.openwall.com/lists/oss-security/2022/11/07/2
Mailing List
Third Party Advisory
https://lists.apache.org/thread/12pxy4phsry6c34x2ol4fft6xlho4kyw
Issue Tracking
Mailing List
Vendor Advisory
https://lists.apache.org/thread/2qvl7r43wb4t8p9dd9om1bnkssk07sn8
Issue Tracking
Mailing List
Vendor Advisory
https://lists.debian.org/debian-lts-announce/2022/10/msg00024.html
Mailing List
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H4YNJSJ64NPCNKFPNBYITNZU5H3L4D6L/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5OZNAZJ4YHLOKRRRZSWRT5OJ25E4XLM/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JN3EVGR7FD3ZLV5SBTJXUIDCMSK4QUE2/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KO3DXNKZ4EU3UZBT6AAR4XRKCD73KLMO/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3XPOTPPBZIPFBZHQE5E7OW6PDACUMCJ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YULPNO3PAWMEQQZV2C54I3H3ZOXFZUTB/
https://security.gentoo.org/glsa/202401-25
https://security.netapp.com/advisory/ntap-20220729-0009/
Third Party Advisory
https://security.netapp.com/advisory/ntap-20240621-0006/

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:apache:xalan-java:*:*:*:*:*:*:*:*

Версия до 2.7.2 (включая)

Конфигурация 2

Одно из

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

Конфигурация 3

Одно из

cpe:2.3:a:oracle:graalvm:20.3.6:*:*:*:enterprise:*:*:*

cpe:2.3:a:oracle:graalvm:21.3.2:*:*:*:enterprise:*:*:*

cpe:2.3:a:oracle:graalvm:22.1.0:*:*:*:enterprise:*:*:*

cpe:2.3:a:oracle:jdk:1.7.0:update343:*:*:*:*:*:*

cpe:2.3:a:oracle:jdk:1.8.0:update333:*:*:*:*:*:*

cpe:2.3:a:oracle:jdk:11.0.15.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:jdk:17.0.3.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:jdk:18.0.1.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:jre:1.7.0:update343:*:*:*:*:*:*

cpe:2.3:a:oracle:jre:1.8.0:update333:*:*:*:*:*:*

cpe:2.3:a:oracle:jre:11.0.15.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:jre:17.0.3.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:jre:18.0.1.1:*:*:*:*:*:*:*

Конфигурация 4

Одно из

cpe:2.3:a:oracle:openjdk:*:*:*:*:*:*:*:*

Версия от 11 (включая) до 11.0.15 (включая)

cpe:2.3:a:oracle:openjdk:*:*:*:*:*:*:*:*

Версия от 13 (включая) до 13.0.11 (включая)

cpe:2.3:a:oracle:openjdk:*:*:*:*:*:*:*:*

Версия от 15 (включая) до 15.0.7 (включая)

cpe:2.3:a:oracle:openjdk:*:*:*:*:*:*:*:*

Версия от 17 (включая) до 17.0.3 (включая)

cpe:2.3:a:oracle:openjdk:7:-:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update1:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update10:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update101:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update11:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update111:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update121:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update13:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update131:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update141:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update15:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update151:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update161:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update17:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update171:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update181:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update191:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update2:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update201:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update21:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update211:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update221:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update231:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update241:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update25:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update251:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update261:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update271:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update281:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update291:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update3:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update301:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update311:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update321:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update4:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update40:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update45:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update5:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update51:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update55:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update6:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update60:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update65:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update67:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update7:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update72:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update76:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update80:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update85:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update9:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update91:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update95:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update97:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update99:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:-:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:milestone1:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:milestone2:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:milestone3:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:milestone4:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:milestone5:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:milestone6:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:milestone7:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:milestone8:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:milestone9:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update101:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update102:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update11:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update111:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update112:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update121:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update131:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update141:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update151:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update152:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update161:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update162:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update171:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update172:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update181:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update191:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update192:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update20:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update201:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update202:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update211:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update212:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update221:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update222:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update231:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update232:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update241:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update242:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update25:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update252:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update262:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update271:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update281:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update282:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update291:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update301:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update302:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update31:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update312:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update322:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update332:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update40:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update45:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update5:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update51:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update60:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update65:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update66:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update71:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update72:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update73:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update74:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update77:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update91:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update92:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:18:*:*:*:*:*:*:*

Конфигурация 5

Одно из

cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*

Конфигурация 6

Одно из

cpe:2.3:a:netapp:7-mode_transition_tool:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*

cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*

cpe:2.3:a:netapp:cloud_insights_acquisition_unit:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:cloud_secure_agent:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:*

Конфигурация 7

Одно из

cpe:2.3:a:azul:zulu:6.47:*:*:*:*:*:*:*

cpe:2.3:a:azul:zulu:7.54:*:*:*:*:*:*:*

cpe:2.3:a:azul:zulu:8.62:*:*:*:*:*:*:*

cpe:2.3:a:azul:zulu:11.56:*:*:*:*:*:*:*

cpe:2.3:a:azul:zulu:13.48:*:*:*:*:*:*:*

cpe:2.3:a:azul:zulu:15.40:*:*:*:*:*:*:*

cpe:2.3:a:azul:zulu:17.34:*:*:*:*:*:*:*

cpe:2.3:a:azul:zulu:18.30:*:*:*:*:*:*:*

EPSS

Процентиль: 92%

0.08775

Низкий

7.5 High

CVSS3

Дефекты

CWE-681

Связанные уязвимости

CVE-2022-34169

CVSS3: 7.5

ubuntu

больше 3 лет назад

CVE-2022-34169

CVSS3: 7.5

redhat

больше 3 лет назад

CVE-2022-34169

CVSS3: 7.5

msrc

около 2 месяцев назад

Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets

CVE-2022-34169

CVSS3: 7.5

debian

больше 3 лет назад

The Apache Xalan Java XSLT library is vulnerable to an integer truncat ...

SUSE-RU-2024:3971-1

suse-cvrf

11 месяцев назад

Recommended update for mojo-parent

EPSS

Процентиль: 92%

0.08775

Низкий

7.5 High

CVSS3

Дефекты

CWE-681