CVE-2019-11068
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
10/04/2019
Last modified:
07/11/2023
Description
libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded.
Impact
Base Score 3.x
9.80
Severity 3.x
CRITICAL
Base Score 2.0
7.50
Severity 2.0
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:xmlsoft:libxslt:*:*:*:*:*:*:*:* | 1.1.33 (including) | |
| cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:* | ||
| cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:* | ||
| cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:* | ||
| cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:* | ||
| cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:* | ||
| cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:* | ||
| cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:* | ||
| cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:* | ||
| cpe:2.3:a:oracle:jdk:8.0:update_221:*:*:*:*:*:* | ||
| cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:* | ||
| cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:* | ||
| cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:* | ||
| cpe:2.3:a:netapp:e-series_santricity_management_plug-ins:-:*:*:*:*:vmware_vcenter:*:* | ||
| cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:* | 11.0 (including) | 11.70.2 (including) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00048.html
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00052.html
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00053.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00025.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00001.html
- http://www.openwall.com/lists/oss-security/2019/04/22/1
- http://www.openwall.com/lists/oss-security/2019/04/23/5
- https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6
- https://lists.debian.org/debian-lts-announce/2019/04/msg00016.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36TEYN37XCCKN2XUMRTBBW67BPNMSW4K/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GCOAX2IHUMKCM3ILHTMGLHCDSBTLP2JU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SK4YNISS22MJY22YX5I6V2U63QZAUEHA/
- https://security.netapp.com/advisory/ntap-20191017-0001/
- https://usn.ubuntu.com/3947-1/
- https://usn.ubuntu.com/3947-2/
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html