CVE-2022-34169 - Integer Truncation Issue
Severity: None2022-10-13
Abstract
The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. The Apache Xalan Java project is dormant and in the process of being retired. No future releases of Apache Xalan Java to address this issue are expected.
The Oxygen products incorporate Apache Xalan Java as a third-party library. This advisory was opened to address the potential impact of this third-party library vulnerability.
Affected Products/Versions
Product | Severity | Fixed Release Availability |
Oxygen XML Author v25.0 and older | None | N/A |
Oxygen XML Developer v25.0 and older | None | N/A |
Oxygen XML Editor v25.0 and older | None | N/A |
Detail
CVE-2022-34169
Severity: High
CVSS Score: 7.5
The Apache Xalan Java third-party library used by Oxygen XML products is an affected version mentioned in CVE-2022-34169 vulnerability description. However, Oxygen XML products does not use Apache Xalan Java to generate Java classes from XSLT. For that reason, our products are not affected by this vulnerability.