CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets
The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.
Security readout for executives and security teams
This flaw lets a malicious XSLT stylesheet abuse Apache Xalan-J’s XSLTC compiler path to alter generated Java class files and run attacker-controlled Java bytecode. Business risk is highest where applications accept or transform untrusted XSLT/XML content, including through bundled Java runtime copies. Exposure is likely in Java applications, middleware, or platforms using Xalan-J or runtime-bundled Xalan to process attacker-supplied XSLT. Dependency and runtime inventories are necessary because repackaged copies may not appear as direct application dependencies. Treat as high priority for Java services that transform untrusted XSLT or depend on affected runtimes. Patch direct libraries and vendor runtimes, then verify no exposed workflow accepts attacker-controlled stylesheets. Mitigation focus: Upgrade Apache Xalan-J to version 2.7.3 or later where directly used.; Apply Java runtime and vendor updates that replace repackaged Xalan copies.; Review Oracle, Debian, Fedora, and product-vendor advisories for affected packages..
Prepared
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-681: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-681 · source CWE mapping
Incorrect Conversion between Numeric Types
Incorrect Conversion between Numeric Types represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.