Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets
CVE-2022-34169

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Xalan-j
Vendor: CVE Published:; 19 July 2022

Badges

👾 Exploit Exists🟡 Public PoC

Summary

The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.

Affected Version(s)

Apache Xalan-J Xalan-J <= 2.7.2

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

AutoGenerateXalanPayload
Created by flowerwind

CVE-2022-34169
Created by Disnaming

CVE-2022-34169
Created by bor8

References

https://lists.apache.org/thread/2qvl7r43wb4t8p9dd9om1bnks...

https://lists.apache.org/thread/12pxy4phsry6c34x2ol4fft6x...

http://www.openwall.com/lists/oss-security/2022/07/19/5

mailing-list

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

🟡
Public PoC available
Jan 17, 2023
👾
Exploit known to exist
Jan 17, 2023
Vulnerability published
Jul 19, 2022
Vulnerability Reserved
Jun 21, 2022

Credit

Reported by Felix Wilhelm, Google Project Zero