CVE-2022-34169
bcel - security update
7.5
HIGH
CVSS 3.1
EPSS 11.0%
Description
The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.
How to fix CVE-2022-34169
To remediate CVE-2022-34169, upgrade the affected package to a fixed version below.
- —no fix listed
- —no fix listed
- —no fix listed
- —upgrade to 6.2-1+deb10u1 or later
- —upgrade to 6.5.0-1+deb11u1 or later
- —upgrade to 6.5.0-1+deb11u1 or later
- —upgrade to 11.0.16+8-1~deb11u1 or later
- —upgrade to 17.0.4+8-1~deb11u1 or later
- —upgrade to 2.7.3 or later
Is CVE-2022-34169 being exploited?
Moderate — EPSS is 11.0%. Track this CVE but it's not at the top of the prioritisation list.
Affected packages (9)
- >= 1.8.0-333, <= 1.8.0-333, >= 11.0.15-1, <= 11.0.15-1, >= 17.0.3-1, <= 17.0.3-1
- >= 1.8.0-333, <= 1.8.0-333, >= 11.0.15-1, <= 11.0.15-1, >= 17.0.3-1, <= 17.0.3-1
- >= 1.8.0-333, <= 1.8.0-333, >= 11.0.15-1, <= 11.0.15-1, >= 17.0.3-1, <= 17.0.3-1
- from 0, < 6.2-1+deb10u1
- from 0, < 6.5.0-1+deb11u1
- from 0, < 6.5.0-1+deb11u1
- from 0, < 11.0.16+8-1~deb11u1
- from 0, < 17.0.4+8-1~deb11u1
- from 0, < 2.7.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |