CVE-2019-11068
high-risk
Published 2019-04-10
libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded.
Do I need to act?
~
1.1% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: e03553605b45c88f0b4b2980adfbbb8f6fca2fd6
9
CVSS 9.8/10
Critical
NETWORK
/ LOW complexity
Affected Products (20)
Libxslt
References (32)
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00048.html
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00052.html
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00053.html
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00025.html
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00001.html
Third Party Advisory
https://security.netapp.com/advisory/ntap-20191017-0001/
Third Party Advisory
https://usn.ubuntu.com/3947-1/
Third Party Advisory
https://usn.ubuntu.com/3947-2/
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00048.html
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00052.html
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00053.html
Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00025.html
and 12 more references
58
/ 100
high-risk
Severity
32/34 · Critical
Exploitability
3/34 · Minimal
Exposure
23/34 · High