What is CVE-2022-34169?

CVE-2022-34169 is a high-severity vulnerability in Apache Xalan-java, classified under Incorrect Conversion between Numeric Types. CVSS score: 7.5/10. Published 2022-07-19.

How severe is CVE-2022-34169?

High severity. CVSS v3 base score is 7.5 out of 10.

Is CVE-2022-34169 known to be exploited?

18 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Apache Xalan-java

CVE-2022-34169

The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java by…

EPSS: 0.110 (93.6th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.5 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N.

Affected products

Apache Xalan-java
Apache Software Foundation Xalan-j — versions Xalan-J
Azul Zulu — versions 6.47, 7.54, 8.62
Netapp 7-mode_transition_tool
Netapp Active_iq_unified_manager
Netapp Cloud_insights_acquisition_unit
Netapp Cloud_secure_agent
Netapp Hci_compute_node
Netapp Hci_management_node
Netapp Oncommand_insight

Weakness classification (CWE)

CWE-681 — Incorrect Conversion between Numeric Types

Public proof-of-concept exploits

References

security@apache.org (Mailing List, Issue Tracking, Vendor Advisory)
security@apache.org (Mailing List, Issue Tracking, Vendor Advisory)
security@apache.org (mailing-list, Mailing List, Third Party Advisory)
security@apache.org (Patch, Third Party Advisory)
security@apache.org (mailing-list, Mailing List, Third Party Advisory)
security@apache.org (mailing-list, Mailing List, Third Party Advisory)
security@apache.org (mailing-list, Patch, Mailing List, Third Party Advisory)
security@apache.org (vendor-advisory, Third Party Advisory)
security@apache.org (vendor-advisory, Third Party Advisory)
security@apache.org (Third Party Advisory)

Frequently asked questions

What is CVE-2022-34169?: CVE-2022-34169 is a high-severity vulnerability in Apache Xalan-java, classified under Incorrect Conversion between Numeric Types. CVSS score: 7.5/10. Published 2022-07-19.
How severe is CVE-2022-34169?: High severity. CVSS v3 base score is 7.5 out of 10.
Is CVE-2022-34169 known to be exploited?: 18 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.