CVE-2019-11068

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2019-11068
libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5 /10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References
Link Resource
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00048.html Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00052.html Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00053.html Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00025.html Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00001.html Third Party Advisory
http://www.openwall.com/lists/oss-security/2019/04/22/1 Mailing List Third Party Advisory
http://www.openwall.com/lists/oss-security/2019/04/23/5 Mailing List Third Party Advisory
https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6 Patch Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/04/msg00016.html Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36TEYN37XCCKN2XUMRTBBW67BPNMSW4K/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GCOAX2IHUMKCM3ILHTMGLHCDSBTLP2JU/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SK4YNISS22MJY22YX5I6V2U63QZAUEHA/
https://security.netapp.com/advisory/ntap-20191017-0001/ Third Party Advisory
https://usn.ubuntu.com/3947-1/ Third Party Advisory
https://usn.ubuntu.com/3947-2/ Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html Patch Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:xmlsoft:libxslt:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Configuration 4 (hide)

OR cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*

Configuration 5 (hide)

cpe:2.3:a:oracle:jdk:8.0:update_221:*:*:*:*:*:*

Configuration 6 (hide)

OR cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*
cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*
cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:e-series_santricity_management_plug-ins:-:*:*:*:*:vmware_vcenter:*:*
cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:*
cpe:2.3:a:netapp:e-series_santricity_storage_manager:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:e-series_santricity_unified_manager:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:e-series_santricity_web_services_proxy:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:element_software:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:plug-in_for_symantec_netbackup:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:santricity_unified_manager:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:sap:*:*
cpe:2.3:a:netapp:snapmanager:-:-:*:*:*:oracle:*:*
cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*
cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*

Configuration 7 (hide)

OR cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*
History

No history.

Information

Published : 2019-04-10 20:29

Updated : 2023-11-07 03:02

NVD link : CVE-2019-11068

Mitre link : CVE-2019-11068

CVE.ORG link : CVE-2019-11068

JSON object : View

Products Affected

oracle

  • jdk

netapp

  • cloud_backup
  • e-series_santricity_os_controller
  • hci_management_node
  • e-series_santricity_unified_manager
  • e-series_santricity_management_plug-ins
  • active_iq_unified_manager
  • e-series_santricity_storage_manager
  • oncommand_insight
  • plug-in_for_symantec_netbackup
  • element_software
  • solidfire
  • steelstore_cloud_integrated_storage
  • e-series_santricity_web_services_proxy
  • oncommand_workflow_automation
  • snapmanager
  • santricity_unified_manager

canonical

  • ubuntu_linux

opensuse

  • leap

fedoraproject

  • fedora

debian

  • debian_linux

xmlsoft

  • libxslt
CWE
NVD-CWE-noinfo