CVE-2022-34169

Aliases:GHSA-9339-86wc-4qgfBIT-java-2022-34169BIT-java-min-2022-34169BIT-jre-2022-34169

Advisory lineage Upstream: 0 Downstream: 56

Downstream

DEBIAN-CVE-2022-34169 DLA-3155-1 DSA-5188-1 DSA-5192-1 DSA-5256-1 MGASA-2022-0435

Modified

Published: 19 Jul 2022, 00:00

Last modified:27 May 2026, 12:51

Vulnerability Summary

Overall Risk (default)

medium

32/100

CVSS Score

7.5 HIGH

v3.1 (nvd)

EPSS Score

10.95% MEDIUM

11% probability +4.29%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

19 Jul 2022, 00:00

Published

Vulnerability first disclosed

27 May 2026, 12:51

Last Modified

Vulnerability information updated

Description

The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.

CVSS Metrics

v3.1•HIGH•Score: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Trends

Current EPSS score: 10.95%• Percentile: 94%

Techniques & Countermeasures

CWE-681•Incorrect Conversion between Numeric Types
When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.

Affected Systems

apache software foundation•apache xalan-j
≥ Xalan-J, ≤ 2.7.2
apache•xalan-java
≤ 2.7.2
azul•zulu
6.47 | 7.54 | 8.62 | 11.56 | 13.48 | 15.40 | 17.34 | 18.30
debian•debian_linux
10.0 | 11.0
fedoraproject•fedora
35 | 36
xalan•xalan
< 2.7.3
netapp•7-mode_transition_tool
na
netapp•active_iq_unified_manager
na
netapp•cloud_insights_acquisition_unit
na
netapp•cloud_secure_agent
na
netapp•hci_compute_node_firmware
na
netapp•hci_management_node
na
netapp•oncommand_insight
na
netapp•solidfire
na
oracle•graalvm
20.3.6 | 21.3.2 | 22.1.0
oracle•jdk
1.7.0:update343 | 1.8.0:update333 | 11.0.15.1 | 17.0.3.1 | 18.0.1.1
oracle•jre
1.7.0:update343 | 1.8.0:update333 | 11.0.15.1 | 17.0.3.1 | 18.0.1.1
oracle•openjdk
≥ 11, ≤ 11.0.15 | ≥ 13, ≤ 13.0.11 | ≥ 15, ≤ 15.0.7 | ≥ 17, ≤ 17.0.3 | 7 | 7:update1 | 7:update10 | 7:update101 | 7:update11 | 7:update111 | 7:update121 | 7:update13 | 7:update131 | 7:update141 | 7:update15 | 7:update151 | 7:update161 | 7:update17 | 7:update171 | 7:update181 | 7:update191 | 7:update2 | 7:update201 | 7:update21 | 7:update211 | 7:update221 | 7:update231 | 7:update241 | 7:update25 | 7:update251 | 7:update261 | 7:update271 | 7:update281 | 7:update291 | 7:update3 | 7:update301 | 7:update311 | 7:update321 | 7:update4 | 7:update40 | 7:update45 | 7:update5 | 7:update51 | 7:update55 | 7:update6 | 7:update60 | 7:update65 | 7:update67 | 7:update7 | 7:update72 | 7:update76 | 7:update80 | 7:update85 | 7:update9 | 7:update91 | 7:update95 | 7:update97 | 7:update99 | 8 | 8:milestone1 | 8:milestone2 | 8:milestone3 | 8:milestone4 | 8:milestone5 | 8:milestone6 | 8:milestone7 | 8:milestone8 | 8:milestone9 | 8:update101 | 8:update102 | 8:update11 | 8:update111 | 8:update112 | 8:update121 | 8:update131 | 8:update141 | 8:update151 | 8:update152 | 8:update161 | 8:update162 | 8:update171 | 8:update172 | 8:update181 | 8:update191 | 8:update192 | 8:update20 | 8:update201 | 8:update202 | 8:update211 | 8:update212 | 8:update221 | 8:update222 | 8:update231 | 8:update232 | 8:update241 | 8:update242 | 8:update25 | 8:update252 | 8:update262 | 8:update271 | 8:update281 | 8:update282 | 8:update291 | 8:update301 | 8:update302 | 8:update31 | 8:update312 | 8:update322 | 8:update332 | 8:update40 | 8:update45 | 8:update5 | 8:update51 | 8:update60 | 8:update65 | 8:update66 | 8:update71 | 8:update72 | 8:update73 | 8:update74 | 8:update77 | 8:update91 | 8:update92 | 18