Vulnerability Details : CVE-2022-34169
Potential exploit
The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.
Products affected by CVE-2022-34169
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:xalan-java:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:17.0.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:18.0.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:11.0.15.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.8.0:update333:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:1.7.0:update343:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:17.0.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:18.0.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:11.0.15.1:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.8.0:update333:*:*:*:*:*:*
- cpe:2.3:a:oracle:jre:1.7.0:update343:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:*:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:-:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update241:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update80:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update85:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:-:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update102:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update112:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update152:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update162:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update172:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update192:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update20:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update202:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update212:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update222:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update232:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update40:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update60:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update66:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update72:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update92:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update1:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update10:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update101:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update11:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update111:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update121:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update13:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update131:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update141:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update15:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update151:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update161:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update17:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update171:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update181:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update191:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update2:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update201:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update21:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update211:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update221:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update231:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update25:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update251:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update3:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update4:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update40:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update45:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update5:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update51:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update55:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update6:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update60:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update65:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update67:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update7:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update72:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update76:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update9:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update91:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update95:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update97:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update99:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update101:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update11:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update111:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update121:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update131:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update141:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update151:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update161:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update171:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update181:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update191:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update201:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update211:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update221:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update231:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update241:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update25:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update31:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update45:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update5:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update51:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update65:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update71:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update73:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update74:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update77:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update91:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update271:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update281:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update291:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update261:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:milestone1:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:milestone2:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:milestone3:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:milestone4:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:milestone5:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:milestone6:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:milestone7:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:milestone8:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:milestone9:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update271:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update281:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update282:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update242:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update252:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update262:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update301:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update291:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update301:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update311:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:7:update321:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update312:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update302:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update322:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:8:update332:*:*:*:*:*:*
- cpe:2.3:a:oracle:openjdk:18:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:graalvm:20.3.6:*:*:*:enterprise:*:*:*
- cpe:2.3:a:oracle:graalvm:21.3.2:*:*:*:enterprise:*:*:*
- cpe:2.3:a:oracle:graalvm:22.1.0:*:*:*:enterprise:*:*:*
- cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*
- cpe:2.3:h:netapp:hci_compute_node:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
- cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
- cpe:2.3:a:netapp:7-mode_transition_tool:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:cloud_insights_acquisition_unit:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:cloud_secure_agent:-:*:*:*:*:*:*:*
- cpe:2.3:a:azul:zulu:17.34:*:*:*:*:*:*:*
- cpe:2.3:a:azul:zulu:7.54:*:*:*:*:*:*:*
- cpe:2.3:a:azul:zulu:8.62:*:*:*:*:*:*:*
- cpe:2.3:a:azul:zulu:11.56:*:*:*:*:*:*:*
- cpe:2.3:a:azul:zulu:13.48:*:*:*:*:*:*:*
- cpe:2.3:a:azul:zulu:15.40:*:*:*:*:*:*:*
- cpe:2.3:a:azul:zulu:18.30:*:*:*:*:*:*:*
- cpe:2.3:a:azul:zulu:6.47:*:*:*:*:*:*:*
Threat overview for CVE-2022-34169
Top countries where our scanners detected CVE-2022-34169
Top open port discovered on systems with this issue
80
IPs affected by CVE-2022-34169 267
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2022-34169!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2022-34169
0.39%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 73 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-34169
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2022-34169
-
When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-34169
-
http://packetstormsecurity.com/files/168186/Xalan-J-XSLTC-Integer-Truncation.html
Xalan-J XSLTC Integer Truncation ≈ Packet StormThird Party Advisory;VDB Entry
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YULPNO3PAWMEQQZV2C54I3H3ZOXFZUTB/
[SECURITY] Fedora 36 Update: java-latest-openjdk-18.0.2.0.9-1.rolling.fc36 - package-announce - Fedora Mailing-Lists
-
http://www.openwall.com/lists/oss-security/2022/07/19/6
oss-security - Re: CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheetsMailing List;Third Party Advisory
-
https://www.debian.org/security/2022/dsa-5188
Debian -- Security Information -- DSA-5188-1 openjdk-11Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2022/10/msg00024.html
[SECURITY] [DLA 3155-1] bcel security updateMailing List;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20220729-0009/
July 2022 Java Platform Standard Edition Vulnerabilities in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://security.gentoo.org/glsa/202401-25
OpenJDK: Multiple Vulnerabilities (GLSA 202401-25) — Gentoo security
-
https://lists.apache.org/thread/12pxy4phsry6c34x2ol4fft6xlho4kyw
CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets-Apache Mail ArchivesIssue Tracking;Mailing List;Vendor Advisory
-
http://www.openwall.com/lists/oss-security/2022/07/20/3
oss-security - Re: CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheetsMailing List;Patch;Third Party Advisory
-
https://www.debian.org/security/2022/dsa-5192
Debian -- Security Information -- DSA-5192-1 openjdk-17Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2022/11/04/8
oss-security - Re: CVE-2022-42920: Apache Commons BCEL prior to 6.6.0 allows producing arbitrary bytecode via out-of-bounds writingMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3XPOTPPBZIPFBZHQE5E7OW6PDACUMCJ/
[SECURITY] Fedora 35 Update: java-1.8.0-openjdk-1.8.0.342.b07-1.fc35 - package-announce - Fedora Mailing-Lists
-
https://www.debian.org/security/2022/dsa-5256
Debian -- Security Information -- DSA-5256-1 bcelThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KO3DXNKZ4EU3UZBT6AAR4XRKCD73KLMO/
[SECURITY] Fedora 36 Update: java-1.8.0-openjdk-1.8.0.342.b07-1.fc36 - package-announce - Fedora Mailing-Lists
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JN3EVGR7FD3ZLV5SBTJXUIDCMSK4QUE2/
[SECURITY] Fedora 36 Update: java-11-openjdk-11.0.16.0.8-1.fc36 - package-announce - Fedora Mailing-Lists
-
https://security.netapp.com/advisory/ntap-20240621-0006/
February 2024 IBM Cognos Analytics Vulnerabilities in NetApp Products | NetApp Product Security
-
https://lists.apache.org/thread/2qvl7r43wb4t8p9dd9om1bnkssk07sn8
Retire Xalan to the Attic-Apache Mail ArchivesIssue Tracking;Mailing List;Vendor Advisory
-
http://www.openwall.com/lists/oss-security/2022/07/19/5
oss-security - CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheetsMailing List;Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2022/10/18/2
oss-security - Re: CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheetsMailing List;Patch;Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2022/07/20/2
oss-security - Re: CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheetsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5OZNAZJ4YHLOKRRRZSWRT5OJ25E4XLM/
[SECURITY] Fedora 35 Update: java-11-openjdk-11.0.16.0.8-1.fc35 - package-announce - Fedora Mailing-Lists
-
http://www.openwall.com/lists/oss-security/2022/11/07/2
oss-security - Re: CVE-2022-42920: Apache Commons BCEL prior to 6.6.0 allows producing arbitrary bytecode via out-of-bounds writingMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H4YNJSJ64NPCNKFPNBYITNZU5H3L4D6L/
[SECURITY] Fedora 35 Update: java-latest-openjdk-18.0.2.0.9-1.rolling.fc35 - package-announce - Fedora Mailing-Lists
-
https://www.oracle.com/security-alerts/cpujul2022.html
Oracle Critical Patch Update Advisory - July 2022Patch;Third Party Advisory
Jump to