CVE-2019-11068

Опубликовано: 10 апр. 2019

Источник: nvd

CVSS3: 9.8

CVSS2: 7.5

EPSS Низкий

Описание

libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded.

Ссылки

http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00048.html
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00052.html
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00053.html
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00025.html
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00001.html
Third Party Advisory
http://www.openwall.com/lists/oss-security/2019/04/22/1
Mailing List
Third Party Advisory
http://www.openwall.com/lists/oss-security/2019/04/23/5
Mailing List
Third Party Advisory
https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6
Patch
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/04/msg00016.html
Mailing List
Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36TEYN37XCCKN2XUMRTBBW67BPNMSW4K/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GCOAX2IHUMKCM3ILHTMGLHCDSBTLP2JU/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SK4YNISS22MJY22YX5I6V2U63QZAUEHA/
https://security.netapp.com/advisory/ntap-20191017-0001/
Third Party Advisory
https://usn.ubuntu.com/3947-1/
Third Party Advisory
https://usn.ubuntu.com/3947-2/
Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
Patch
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00048.html
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00052.html
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00053.html
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00025.html
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:xmlsoft:libxslt:*:*:*:*:*:*:*:*

Версия до 1.1.33 (включая)

Конфигурация 2

Одно из

cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*

cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*

Конфигурация 3

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Конфигурация 4

Одно из

cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*

cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*

Конфигурация 5

cpe:2.3:a:oracle:jdk:8.0:update_221:*:*:*:*:*:*

Конфигурация 6

Одно из

cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*

cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*

cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:e-series_santricity_management_plug-ins:-:*:*:*:*:vmware_vcenter:*:*

cpe:2.3:a:netapp:e-series_santricity_os_controller:*:*:*:*:*:*:*:*

Версия от 11.0 (включая) до 11.70.2 (включая)

cpe:2.3:a:netapp:e-series_santricity_storage_manager:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:e-series_santricity_unified_manager:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:e-series_santricity_web_services_proxy:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:element_software:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:plug-in_for_symantec_netbackup:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:santricity_unified_manager:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:sap:*:*

cpe:2.3:a:netapp:snapmanager:-:-:*:*:*:oracle:*:*

cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*

cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*

Конфигурация 7

Одно из

cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*

cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*

cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*

EPSS

Процентиль: 77%

0.01109

Низкий

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

NVD-CWE-noinfo

Связанные уязвимости

CVE-2019-11068

CVSS3: 9.8

ubuntu

больше 6 лет назад

CVE-2019-11068

CVSS3: 6.3

redhat

больше 6 лет назад

CVE-2019-11068

CVSS3: 9.8

debian

больше 6 лет назад

libxslt through 1.1.33 allows bypass of a protection mechanism because ...

openSUSE-SU-2019:1433-1

suse-cvrf

около 6 лет назад

Security update for libxslt

openSUSE-SU-2019:1430-1

suse-cvrf

около 6 лет назад

Security update for libxslt

EPSS

Процентиль: 77%

0.01109

Низкий

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

NVD-CWE-noinfo