Vulnerability Description
libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Xmlsoft | Libxslt | <= 1.1.33 |
| Canonical | Ubuntu Linux | 12.04 |
| Debian | Debian Linux | 8.0 |
| Fedoraproject | Fedora | 29 |
| Oracle | Jdk | 8.0 |
| Netapp | Active Iq Unified Manager | - |
| Netapp | Cloud Backup | - |
| Netapp | E-Series Santricity Management Plug-Ins | - |
| Netapp | E-Series Santricity Os Controller | >= 11.0, <= 11.70.2 |
| Netapp | E-Series Santricity Storage Manager | - |
| Netapp | E-Series Santricity Unified Manager | - |
| Netapp | E-Series Santricity Web Services Proxy | - |
| Netapp | Element Software | - |
| Netapp | Hci Management Node | - |
| Netapp | Oncommand Insight | - |
| Netapp | Oncommand Workflow Automation | - |
| Netapp | Plug-In For Symantec Netbackup | - |
| Netapp | Santricity Unified Manager | - |
| Netapp | Snapmanager | - |
| Netapp | Solidfire | - |
References
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00048.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00052.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00053.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00025.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00001.htmlThird Party Advisory
- http://www.openwall.com/lists/oss-security/2019/04/22/1Mailing ListThird Party Advisory
- http://www.openwall.com/lists/oss-security/2019/04/23/5Mailing ListThird Party Advisory
- https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fPatchThird Party Advisory
- https://lists.debian.org/debian-lts-announce/2019/04/msg00016.htmlMailing ListThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://security.netapp.com/advisory/ntap-20191017-0001/Third Party Advisory
- https://usn.ubuntu.com/3947-1/Third Party Advisory
- https://usn.ubuntu.com/3947-2/Third Party Advisory
FAQ
What is CVE-2019-11068?
CVE-2019-11068 is a vulnerability with a CVSS score of 9.8 (CRITICAL). libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a ...
How severe is CVE-2019-11068?
CVE-2019-11068 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2019-11068?
Check the references section above for vendor advisories and patch information. Affected products include: Xmlsoft Libxslt, Canonical Ubuntu Linux, Debian Debian Linux, Fedoraproject Fedora, Oracle Jdk.