Hi, I've previously looked in to the CVE-2022-34169 related to fixes in the OpenJDK project, which references the Xalan XSLT transformation library.
As far as I understand, this is the OpenJDK fix related to the vulnerability, where the Xalan source has been folded into the OpenJDK project some time ago: https://github.com/openjdk/jdk8u/commit/3dca446d440e55cbb7dc3555392f4520ec9ff3bc Here the fixes are not in the Xalan source, but in an undeclared version of BCEL.jar present in the Xalan source. Specifically in the ConstantPool and ConstantPoolGen classes. Is this issue present in the latest version of Common BCEL as well, or is this a non-issue for BCEL as a separate library? The relevant classes can be found in the BCEL Github project for ConstantPool <https://github.com/apache/commons-bcel/blob/899dae27675e8a0da282f3bcc0ac7c2823abf1ad/src/main/java/org/apache/bcel/classfile/ConstantPool.java#L232> and ConstantPoolGen <https://github.com/apache/commons-bcel/blob/899dae27675e8a0da282f3bcc0ac7c2823abf1ad/src/main/java/org/apache/bcel/generic/ConstantPoolGen.java#L563> . -- Fredrik
