Vulnerability Details : CVE-2019-9628
The XMLTooling library all versions prior to V3.0.4, provided with the OpenSAML and Shibboleth Service Provider software, contains an XML parsing class. Invalid data in the XML declaration causes an exception of a type that was not handled properly in the parser class and propagates an unexpected exception type.
Products affected by CVE-2019-9628
- cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
- cpe:2.3:a:xmltooling_project:xmltooling:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-9628
1.80%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 88 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-9628
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2019-9628
-
The product does not handle or incorrectly handles an exceptional condition.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-9628
-
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00079.html
[security-announce] openSUSE-SU-2019:1235-1: moderate: Security update fMailing List;Third Party Advisory
-
https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1819912
Bug #1819912 “CVE-2019-9628 XML parser class fails to trap excep...” : Bugs : xmltooling package : UbuntuIssue Tracking;Third Party Advisory
-
https://wiki.shibboleth.net/confluence/display/SP3/SecurityAdvisories
SecurityAdvisories - Service Provider 3 - Shibboleth WikiThird Party Advisory
-
https://usn.ubuntu.com/3921-1/
USN-3921-1: XMLTooling vulnerability | Ubuntu security noticesThird Party Advisory
-
https://shibboleth.net/community/advisories/secadv_20190311.txt
Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00095.html
[security-announce] openSUSE-SU-2019:1276-1: moderate: Security update fMailing List;Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20190611-0003/
CVE-2019-9628 XMLTooling Library Vulnerability in NetApp Products | NetApp Product SecurityThird Party Advisory
Jump to