GHSA-9339-86wc-4qgf

Source

https://github.com/advisories/GHSA-9339-86wc-4qgf

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-9339-86wc-4qgf/GHSA-9339-86wc-4qgf.json

Aliases

• CVE-2022-34169

Published

2022-07-20T00:00:18Z

Modified

2024-03-14T05:16:51.559434Z

Summary

Apache Xalan Java XSLT library integer truncation issue when processing malicious XSLT stylesheets

Details

The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode.

A fix for this issue was published in September 2022 as part of an anticipated 2.7.3 release.

References

• https://nvd.nist.gov/vuln/detail/CVE-2022-34169
• https://xalan.apache.org
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://www.debian.org/security/2022/dsa-5256
• https://www.debian.org/security/2022/dsa-5192
• https://www.debian.org/security/2022/dsa-5188
• https://security.netapp.com/advisory/ntap-20220729-0009
• https://security.gentoo.org/glsa/202401-25
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YULPNO3PAWMEQQZV2C54I3H3ZOXFZUTB
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L3XPOTPPBZIPFBZHQE5E7OW6PDACUMCJ
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KO3DXNKZ4EU3UZBT6AAR4XRKCD73KLMO
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JN3EVGR7FD3ZLV5SBTJXUIDCMSK4QUE2
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I5OZNAZJ4YHLOKRRRZSWRT5OJ25E4XLM
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/H4YNJSJ64NPCNKFPNBYITNZU5H3L4D6L
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YULPNO3PAWMEQQZV2C54I3H3ZOXFZUTB
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3XPOTPPBZIPFBZHQE5E7OW6PDACUMCJ
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KO3DXNKZ4EU3UZBT6AAR4XRKCD73KLMO
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JN3EVGR7FD3ZLV5SBTJXUIDCMSK4QUE2
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5OZNAZJ4YHLOKRRRZSWRT5OJ25E4XLM
• https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H4YNJSJ64NPCNKFPNBYITNZU5H3L4D6L
• https://lists.debian.org/debian-lts-announce/2022/10/msg00024.html
• https://lists.apache.org/thread/x3f7xv3p1g32qj2hlg8wd57pwcpld471
• https://lists.apache.org/thread/2qvl7r43wb4t8p9dd9om1bnkssk07sn8
• https://lists.apache.org/thread/12pxy4phsry6c34x2ol4fft6xlho4kyw
• https://gitbox.apache.org/repos/asf?p=xalan-java.git;a=commit;h=da3e0d06b467247643ce04e88d3346739d119f21
• https://gitbox.apache.org/repos/asf?p=xalan-java.git;a=commit;h=ab57211e5d2e97cbed06786f919fa9b749c83573
• https://gitbox.apache.org/repos/asf?p=xalan-java.git;a=commit;h=2e60d0a9a5b822c4abf9051857973b1c6babfe81
• https://gitbox.apache.org/repos/asf?p=xalan-java.git
• http://packetstormsecurity.com/files/168186/Xalan-J-XSLTC-Integer-Truncation.html
• http://www.openwall.com/lists/oss-security/2022/07/19/5
• http://www.openwall.com/lists/oss-security/2022/07/19/6
• http://www.openwall.com/lists/oss-security/2022/07/20/2
• http://www.openwall.com/lists/oss-security/2022/07/20/3
• http://www.openwall.com/lists/oss-security/2022/10/18/2
• http://www.openwall.com/lists/oss-security/2022/11/04/8
• http://www.openwall.com/lists/oss-security/2022/11/07/2