The default configuration of XSLTResourceStream.java is vulnerable to remote code execution via XSLT injection when processing input from an untrusted source without validation.
Users are recommended to upgrade to versions 10.1.0, 9.18.0 or 8.16.0, which fix this issue.
References
Configurations
No configuration.
History
21 Nov 2024, 09:22
Type | Values Removed | Values Added |
---|---|---|
References | () http://www.openwall.com/lists/oss-security/2024/07/12/2 - | |
References | () https://lists.apache.org/thread/w613qh7yors840pbx00l1pq6wkl9jzkc - |
01 Aug 2024, 13:52
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
Summary |
|
12 Jul 2024, 14:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
12 Jul 2024, 13:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2024-07-12 13:15
Updated : 2024-11-21 09:22
NVD link : CVE-2024-36522
Mitre link : CVE-2024-36522
CVE.ORG link : CVE-2024-36522
JSON object : View
Products Affected
No product.
CWE
CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')