CVE-2022-34169

Опубликовано: 19 июл. 2022

Источник: nvd

CVSS3: 7.5

EPSS Средний

Описание

The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.

Ссылки

http://packetstormsecurity.com/files/168186/Xalan-J-XSLTC-Integer-Truncation.html
Third Party Advisory
VDB Entry
http://www.openwall.com/lists/oss-security/2022/07/19/5
Mailing List
Third Party Advisory
http://www.openwall.com/lists/oss-security/2022/07/19/6
Mailing List
Third Party Advisory
http://www.openwall.com/lists/oss-security/2022/07/20/2
Mailing List
Third Party Advisory
http://www.openwall.com/lists/oss-security/2022/07/20/3
Mailing List
Patch
Third Party Advisory
http://www.openwall.com/lists/oss-security/2022/10/18/2
Mailing List
Patch
Third Party Advisory
http://www.openwall.com/lists/oss-security/2022/11/04/8
Mailing List
Third Party Advisory
http://www.openwall.com/lists/oss-security/2022/11/07/2
Mailing List
Third Party Advisory
https://lists.apache.org/thread/12pxy4phsry6c34x2ol4fft6xlho4kyw
Issue Tracking
Mailing List
Vendor Advisory
https://lists.apache.org/thread/2qvl7r43wb4t8p9dd9om1bnkssk07sn8
Issue Tracking
Mailing List
Vendor Advisory
https://lists.debian.org/debian-lts-announce/2022/10/msg00024.html
Mailing List
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H4YNJSJ64NPCNKFPNBYITNZU5H3L4D6L/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5OZNAZJ4YHLOKRRRZSWRT5OJ25E4XLM/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JN3EVGR7FD3ZLV5SBTJXUIDCMSK4QUE2/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KO3DXNKZ4EU3UZBT6AAR4XRKCD73KLMO/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3XPOTPPBZIPFBZHQE5E7OW6PDACUMCJ/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YULPNO3PAWMEQQZV2C54I3H3ZOXFZUTB/
https://security.gentoo.org/glsa/202401-25
https://security.netapp.com/advisory/ntap-20220729-0009/
Third Party Advisory
https://security.netapp.com/advisory/ntap-20240621-0006/

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:apache:xalan-java:*:*:*:*:*:*:*:*

Версия до 2.7.2 (включая)

Конфигурация 2

Одно из

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

Конфигурация 3

Одно из

cpe:2.3:a:oracle:graalvm:20.3.6:*:*:*:enterprise:*:*:*

cpe:2.3:a:oracle:graalvm:21.3.2:*:*:*:enterprise:*:*:*

cpe:2.3:a:oracle:graalvm:22.1.0:*:*:*:enterprise:*:*:*

cpe:2.3:a:oracle:jdk:1.7.0:update343:*:*:*:*:*:*

cpe:2.3:a:oracle:jdk:1.8.0:update333:*:*:*:*:*:*

cpe:2.3:a:oracle:jdk:11.0.15.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:jdk:17.0.3.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:jdk:18.0.1.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:jre:1.7.0:update343:*:*:*:*:*:*

cpe:2.3:a:oracle:jre:1.8.0:update333:*:*:*:*:*:*

cpe:2.3:a:oracle:jre:11.0.15.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:jre:17.0.3.1:*:*:*:*:*:*:*

cpe:2.3:a:oracle:jre:18.0.1.1:*:*:*:*:*:*:*

Конфигурация 4

Одно из

cpe:2.3:a:oracle:openjdk:*:*:*:*:*:*:*:*

Версия от 11 (включая) до 11.0.15 (включая)

cpe:2.3:a:oracle:openjdk:*:*:*:*:*:*:*:*

Версия от 13 (включая) до 13.0.11 (включая)

cpe:2.3:a:oracle:openjdk:*:*:*:*:*:*:*:*

Версия от 15 (включая) до 15.0.7 (включая)

cpe:2.3:a:oracle:openjdk:*:*:*:*:*:*:*:*

Версия от 17 (включая) до 17.0.3 (включая)

cpe:2.3:a:oracle:openjdk:7:-:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update1:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update10:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update101:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update11:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update111:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update121:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update13:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update131:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update141:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update15:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update151:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update161:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update17:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update171:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update181:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update191:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update2:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update201:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update21:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update211:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update221:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update231:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update241:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update25:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update251:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update261:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update271:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update281:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update291:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update3:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update301:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update311:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update321:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update4:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update40:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update45:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update5:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update51:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update55:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update6:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update60:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update65:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update67:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update7:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update72:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update76:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update80:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update85:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update9:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update91:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update95:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update97:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:7:update99:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:-:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:milestone1:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:milestone2:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:milestone3:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:milestone4:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:milestone5:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:milestone6:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:milestone7:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:milestone8:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:milestone9:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update101:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update102:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update11:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update111:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update112:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update121:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update131:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update141:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update151:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update152:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update161:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update162:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update171:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update172:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update181:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update191:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update192:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update20:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update201:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update202:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update211:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update212:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update221:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update222:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update231:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update232:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update241:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update242:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update25:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update252:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update262:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update271:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update281:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update282:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update291:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update301:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update302:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update31:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update312:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update322:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update332:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update40:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update45:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update5:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update51:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update60:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update65:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update66:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update71:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update72:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update73:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update74:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update77:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update91:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:8:update92:*:*:*:*:*:*

cpe:2.3:a:oracle:openjdk:18:*:*:*:*:*:*:*

Конфигурация 5

Одно из

cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*

Конфигурация 6

Одно из

cpe:2.3:a:netapp:7-mode_transition_tool:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*

cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*

cpe:2.3:a:netapp:cloud_insights_acquisition_unit:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:cloud_secure_agent:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:*

Конфигурация 7

Одно из

cpe:2.3:a:azul:zulu:6.47:*:*:*:*:*:*:*

cpe:2.3:a:azul:zulu:7.54:*:*:*:*:*:*:*

cpe:2.3:a:azul:zulu:8.62:*:*:*:*:*:*:*

cpe:2.3:a:azul:zulu:11.56:*:*:*:*:*:*:*

cpe:2.3:a:azul:zulu:13.48:*:*:*:*:*:*:*

cpe:2.3:a:azul:zulu:15.40:*:*:*:*:*:*:*

cpe:2.3:a:azul:zulu:17.34:*:*:*:*:*:*:*

cpe:2.3:a:azul:zulu:18.30:*:*:*:*:*:*:*

EPSS

Процентиль: 93%

0.1173

Средний

7.5 High

CVSS3

Дефекты

CWE-681

Связанные уязвимости

CVE-2022-34169

CVSS3: 7.5

ubuntu

почти 3 года назад

CVE-2022-34169

CVSS3: 7.5

redhat

почти 3 года назад

CVE-2022-34169

CVSS3: 7.5

debian

почти 3 года назад

The Apache Xalan Java XSLT library is vulnerable to an integer truncat ...

SUSE-RU-2024:3971-1

suse-cvrf

7 месяцев назад

Recommended update for mojo-parent

GHSA-9339-86wc-4qgf

CVSS3: 7.5

github

почти 3 года назад

Apache Xalan Java XSLT library integer truncation issue when processing malicious XSLT stylesheets

EPSS

Процентиль: 93%

0.1173

Средний

7.5 High

CVSS3

Дефекты

CWE-681