Vulnerability Details CVE-2019-11068
libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.005
EPSS Ranking 65.7%
CVSS Severity
CVSS v3 Score 9.8
CVSS v2 Score 7.5
References
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00048.html
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00052.html
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00053.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00025.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00001.html
- http://www.openwall.com/lists/oss-security/2019/04/22/1
- http://www.openwall.com/lists/oss-security/2019/04/23/5
- https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6
- https://lists.debian.org/debian-lts-announce/2019/04/msg00016.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36TEYN37XCCKN2XUMRTBBW67BPNMSW4K/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GCOAX2IHUMKCM3ILHTMGLHCDSBTLP2JU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SK4YNISS22MJY22YX5I6V2U63QZAUEHA/
- https://security.netapp.com/advisory/ntap-20191017-0001/
- https://usn.ubuntu.com/3947-1/
- https://usn.ubuntu.com/3947-2/
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00048.html
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00052.html
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00053.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00025.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00001.html
- http://www.openwall.com/lists/oss-security/2019/04/22/1
- http://www.openwall.com/lists/oss-security/2019/04/23/5
- https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6
- https://lists.debian.org/debian-lts-announce/2019/04/msg00016.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36TEYN37XCCKN2XUMRTBBW67BPNMSW4K/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GCOAX2IHUMKCM3ILHTMGLHCDSBTLP2JU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SK4YNISS22MJY22YX5I6V2U63QZAUEHA/
- https://security.netapp.com/advisory/ntap-20191017-0001/
- https://usn.ubuntu.com/3947-1/
- https://usn.ubuntu.com/3947-2/
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
Products affected by CVE-2019-11068
-
cpe:2.3:a:netapp:active_iq_unified_manager:-
-
cpe:2.3:a:netapp:cloud_backup:-
-
cpe:2.3:a:netapp:e-series_santricity_management_plug-ins:-
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.0
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.0.0
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.20
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.25
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.30
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.30.5r3
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.40
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.40.3r2
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.40.5
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.50.1
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.50.2
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.60
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.60.0
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.60.1
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.60.3
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.70.1
-
cpe:2.3:a:netapp:e-series_santricity_os_controller:11.70.2
-
cpe:2.3:a:netapp:e-series_santricity_storage_manager:-
-
cpe:2.3:a:netapp:e-series_santricity_unified_manager:-
-
cpe:2.3:a:netapp:e-series_santricity_web_services_proxy:-
-
cpe:2.3:a:netapp:element_software:-
-
cpe:2.3:a:netapp:hci_management_node:-
-
cpe:2.3:a:netapp:oncommand_insight:-
-
cpe:2.3:a:netapp:oncommand_workflow_automation:-
-
cpe:2.3:a:netapp:plug-in_for_symantec_netbackup:-
-
cpe:2.3:a:netapp:santricity_unified_manager:-
-
cpe:2.3:a:netapp:snapmanager:-
-
cpe:2.3:a:netapp:solidfire:-
-
cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-
-
cpe:2.3:a:oracle:jdk:8.0
-
cpe:2.3:a:xmlsoft:libxslt:-
-
cpe:2.3:a:xmlsoft:libxslt:0.0.1
-
cpe:2.3:a:xmlsoft:libxslt:0.1.0
-
cpe:2.3:a:xmlsoft:libxslt:0.10.0
-
cpe:2.3:a:xmlsoft:libxslt:0.11.0
-
cpe:2.3:a:xmlsoft:libxslt:0.12.0
-
cpe:2.3:a:xmlsoft:libxslt:0.13.0
-
cpe:2.3:a:xmlsoft:libxslt:0.14.0
-
cpe:2.3:a:xmlsoft:libxslt:0.2.0
-
cpe:2.3:a:xmlsoft:libxslt:0.3.0
-
cpe:2.3:a:xmlsoft:libxslt:0.4.0
-
cpe:2.3:a:xmlsoft:libxslt:0.5.0
-
cpe:2.3:a:xmlsoft:libxslt:0.6.0
-
cpe:2.3:a:xmlsoft:libxslt:0.7.0
-
cpe:2.3:a:xmlsoft:libxslt:0.8.0
-
cpe:2.3:a:xmlsoft:libxslt:0.9.0
-
cpe:2.3:a:xmlsoft:libxslt:1.0.0
-
cpe:2.3:a:xmlsoft:libxslt:1.0.1
-
cpe:2.3:a:xmlsoft:libxslt:1.0.10
-
cpe:2.3:a:xmlsoft:libxslt:1.0.11
-
cpe:2.3:a:xmlsoft:libxslt:1.0.12
-
cpe:2.3:a:xmlsoft:libxslt:1.0.13
-
cpe:2.3:a:xmlsoft:libxslt:1.0.14
-
cpe:2.3:a:xmlsoft:libxslt:1.0.15
-
cpe:2.3:a:xmlsoft:libxslt:1.0.16
-
cpe:2.3:a:xmlsoft:libxslt:1.0.17
-
cpe:2.3:a:xmlsoft:libxslt:1.0.18
-
cpe:2.3:a:xmlsoft:libxslt:1.0.19
-
cpe:2.3:a:xmlsoft:libxslt:1.0.2
-
cpe:2.3:a:xmlsoft:libxslt:1.0.20
-
cpe:2.3:a:xmlsoft:libxslt:1.0.21
-
cpe:2.3:a:xmlsoft:libxslt:1.0.22
-
cpe:2.3:a:xmlsoft:libxslt:1.0.23
-
cpe:2.3:a:xmlsoft:libxslt:1.0.24
-
cpe:2.3:a:xmlsoft:libxslt:1.0.25
-
cpe:2.3:a:xmlsoft:libxslt:1.0.26
-
cpe:2.3:a:xmlsoft:libxslt:1.0.27
-
cpe:2.3:a:xmlsoft:libxslt:1.0.28
-
cpe:2.3:a:xmlsoft:libxslt:1.0.29
-
cpe:2.3:a:xmlsoft:libxslt:1.0.3
-
cpe:2.3:a:xmlsoft:libxslt:1.0.30
-
cpe:2.3:a:xmlsoft:libxslt:1.0.31
-
cpe:2.3:a:xmlsoft:libxslt:1.0.32
-
cpe:2.3:a:xmlsoft:libxslt:1.0.33
-
cpe:2.3:a:xmlsoft:libxslt:1.0.4
-
cpe:2.3:a:xmlsoft:libxslt:1.0.5
-
cpe:2.3:a:xmlsoft:libxslt:1.0.6
-
cpe:2.3:a:xmlsoft:libxslt:1.0.7
-
cpe:2.3:a:xmlsoft:libxslt:1.0.8
-
cpe:2.3:a:xmlsoft:libxslt:1.0.9
-
cpe:2.3:a:xmlsoft:libxslt:1.1.0
-
cpe:2.3:a:xmlsoft:libxslt:1.1.1
-
cpe:2.3:a:xmlsoft:libxslt:1.1.10
-
cpe:2.3:a:xmlsoft:libxslt:1.1.11
-
cpe:2.3:a:xmlsoft:libxslt:1.1.12
-
cpe:2.3:a:xmlsoft:libxslt:1.1.13
-
cpe:2.3:a:xmlsoft:libxslt:1.1.14
-
cpe:2.3:a:xmlsoft:libxslt:1.1.15
-
cpe:2.3:a:xmlsoft:libxslt:1.1.16
-
cpe:2.3:a:xmlsoft:libxslt:1.1.17
-
cpe:2.3:a:xmlsoft:libxslt:1.1.18
-
cpe:2.3:a:xmlsoft:libxslt:1.1.19
-
cpe:2.3:a:xmlsoft:libxslt:1.1.2
-
cpe:2.3:a:xmlsoft:libxslt:1.1.20
-
cpe:2.3:a:xmlsoft:libxslt:1.1.21
-
cpe:2.3:a:xmlsoft:libxslt:1.1.22
-
cpe:2.3:a:xmlsoft:libxslt:1.1.23
-
cpe:2.3:a:xmlsoft:libxslt:1.1.24
-
cpe:2.3:a:xmlsoft:libxslt:1.1.25
-
cpe:2.3:a:xmlsoft:libxslt:1.1.26
-
cpe:2.3:a:xmlsoft:libxslt:1.1.27
-
cpe:2.3:a:xmlsoft:libxslt:1.1.28
-
cpe:2.3:a:xmlsoft:libxslt:1.1.29
-
cpe:2.3:a:xmlsoft:libxslt:1.1.3
-
cpe:2.3:a:xmlsoft:libxslt:1.1.30
-
cpe:2.3:a:xmlsoft:libxslt:1.1.31
-
cpe:2.3:a:xmlsoft:libxslt:1.1.32
-
cpe:2.3:a:xmlsoft:libxslt:1.1.33
-
cpe:2.3:a:xmlsoft:libxslt:1.1.4
-
cpe:2.3:a:xmlsoft:libxslt:1.1.5
-
cpe:2.3:a:xmlsoft:libxslt:1.1.6
-
cpe:2.3:a:xmlsoft:libxslt:1.1.7
-
cpe:2.3:a:xmlsoft:libxslt:1.1.8
-
cpe:2.3:a:xmlsoft:libxslt:1.1.9
-
cpe:2.3:o:canonical:ubuntu_linux:12.04
-
cpe:2.3:o:canonical:ubuntu_linux:14.04
-
cpe:2.3:o:canonical:ubuntu_linux:16.04
-
cpe:2.3:o:canonical:ubuntu_linux:18.04
-
cpe:2.3:o:canonical:ubuntu_linux:18.10
-
cpe:2.3:o:debian:debian_linux:8.0
-
cpe:2.3:o:fedoraproject:fedora:29
-
cpe:2.3:o:fedoraproject:fedora:30
-
cpe:2.3:o:opensuse:leap:15.0
-
cpe:2.3:o:opensuse:leap:15.1
-
cpe:2.3:o:opensuse:leap:42.3