Vulnerability Details : CVE-2019-11068
libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded.
Products affected by CVE-2019-11068
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:oracle:jdk:8.0:update_221:*:*:*:*:*:*
- cpe:2.3:a:xmlsoft:libxslt:*:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:sap:*:*
- cpe:2.3:a:netapp:snapmanager:-:-:*:*:*:oracle:*:*
- cpe:2.3:a:netapp:element_software:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*
- Netapp » E-series Santricity Os ControllerVersions from including (>=) 11.0 and up to, including, (<=) 11.70.2cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:e-series_santricity_storage_manager:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:e-series_santricity_management_plug-ins:-:*:*:*:*:vmware_vcenter:*:*
- cpe:2.3:a:netapp:e-series_santricity_web_services_proxy:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
- cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
- cpe:2.3:a:netapp:santricity_unified_manager:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:e-series_santricity_unified_manager:-:*:*:*:*:*:*:*
- cpe:2.3:a:netapp:plug-in_for_symantec_netbackup:-:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-11068
0.30%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 69 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-11068
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
References for CVE-2019-11068
-
https://usn.ubuntu.com/3947-1/
USN-3947-1: Libxslt vulnerability | Ubuntu security noticesThird Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00053.html
[security-announce] openSUSE-SU-2019:1430-1: moderate: Security update fThird Party Advisory
-
https://security.netapp.com/advisory/ntap-20191017-0001/
October 2019 Java Platform Standard Edition Vulnerabilities in NetApp Products | NetApp Product SecurityThird Party Advisory
-
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
Page not found | OraclePatch;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36TEYN37XCCKN2XUMRTBBW67BPNMSW4K/
[SECURITY] Fedora 30 Update: libxslt-1.1.33-1.fc30 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6
Fix security framework bypass (e0355360) · Commits · GNOME / libxslt · GitLabPatch;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00052.html
[security-announce] openSUSE-SU-2019:1428-1: moderate: Security update fThird Party Advisory
-
http://www.openwall.com/lists/oss-security/2019/04/23/5
oss-security - Re: Nokogiri security update v1.10.3Mailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00048.html
[security-announce] openSUSE-SU-2019:1433-1: moderate: Security update fThird Party Advisory
-
https://usn.ubuntu.com/3947-2/
USN-3947-2: Libxslt vulnerability | Ubuntu security noticesThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SK4YNISS22MJY22YX5I6V2U63QZAUEHA/
[SECURITY] Fedora 30 Update: mingw-libxslt-1.1.33-1.fc30 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00025.html
[security-announce] openSUSE-SU-2019:1527-1: important: Security updateThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCOAX2IHUMKCM3ILHTMGLHCDSBTLP2JU/
[SECURITY] Fedora 29 Update: libxslt-1.1.33-1.fc29 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00001.html
[security-announce] openSUSE-SU-2019:1824-1: important: Security updateThird Party Advisory
-
https://lists.debian.org/debian-lts-announce/2019/04/msg00016.html
[SECURITY] [DLA 1756-1] libxslt security updateMailing List;Third Party Advisory
-
http://www.openwall.com/lists/oss-security/2019/04/22/1
oss-security - Nokogiri security update v1.10.3Mailing List;Third Party Advisory
Jump to