Incorrect Conversion between Numeric Types in xalan:xalan

CVE-2022-34169

xalan:xalan

High

7.5/10

Summary

The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. The Apache Xalan Java project is dormant and in the process of being retired. No future releases of Apache Xalan Java to address this issue are expected. This issues affect versions prior to 2.7.3. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: NONE

CWE-681 - Incorrect Conversion between Numeric Types

When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.

References

Advisory Timeline

Published Jul 19, 2022

Incorrect Conversion between Numeric Types in xalan:xalan

CVE-2022-34169

Summary

CWE-681 - Incorrect Conversion between Numeric Types

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS