| Name | CVE-2005-3757 |
| Description | The Saxon XSLT parser in Google Mini Search Appliance, and possibly Google Search Appliance, allows remote attackers to obtain sensitive information and execute arbitrary code via dangerous Java class methods in select attribute of xsl:value-of tags in XSLT style sheets, such as (1) system-property, (2) sys:getProperty, and (3) run:exec. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| ooo2dbk (PTS) | buster | 2.1.0-1.1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| ooo2dbk | source | (unstable) | (not affected) |
XSLTs can call arbitrary java methods in libsaxon-java. This behaviour
is well documented and can be switched off. Let's hope that all users
of saxon are aware of this. A warning has been added to the readme.
Current rdependencies:
- ooo2dbk <not-affected> (uses it's own xslt unless overridden by command line arg)