#VU65495 Improper input validation in Oracle GraalVM Enterprise Edition - CVE-2022-34169
Published: July 20, 2022 / Updated: January 20, 2025
Vulnerability identifier: #VU65495
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber
CVE-ID: CVE-2022-34169
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
Public exploit is available
Vulnerable software:
Oracle GraalVM Enterprise Edition
Oracle GraalVM Enterprise Edition
Software vendor:
Oracle
Oracle
Description
The vulnerability allows a remote non-authenticated attacker to compromise the affected system.
The vulnerability exists due to an integer truncation issue when processing malicious XSLT stylesheets. A remote non-authenticated attacker can pass specially crafted data to the application to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode.
Remediation
Install updates from vendor's website.