Search for packages
| purl | pkg:maven/xalan/xalan@2.4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-kcrm-j8h2-8qbt
Aliases: CVE-2014-0107 GHSA-rc2w-r4jq-7pfx |
The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function. |
Affected by 1 other vulnerability. |
|
VCID-rfs8-njaq-qkc8
Aliases: CVE-2022-34169 GHSA-9339-86wc-4qgf |
Apache Xalan Java XSLT library integer truncation issue when processing malicious XSLT stylesheets The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. A fix for this issue was published in September 2022 as part of an anticipated 2.7.3 release. |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||