CVE-2019-9628

moderate-risk
Published 2019-04-11

The XMLTooling library all versions prior to V3.0.4, provided with the OpenSAML and Shibboleth Service Provider software, contains an XML parsing class. Invalid data in the XML declaration causes an exception of a type that was not handled properly in the parser class and propagates an unexpected exception type.

Do I need to act?

-
0.80% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10 High
NETWORK / LOW complexity

Affected Products (7)

Xmltooling

Affected Vendors

Canonical Opensuse Xmltooling Project

References (14)

Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00079.html
Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00095.html
Issue Tracking https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1819912
Third Party Advisory https://security.netapp.com/advisory/ntap-20190611-0003/
Third Party Advisory https://shibboleth.net/community/advisories/secadv_20190311.txt
Third Party Advisory https://usn.ubuntu.com/3921-1/
Third Party Advisory https://wiki.shibboleth.net/confluence/display/SP3/SecurityAdvisories
Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00079.html
Mailing List http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00095.html
Issue Tracking https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1819912
Third Party Advisory https://security.netapp.com/advisory/ntap-20190611-0003/
Third Party Advisory https://shibboleth.net/community/advisories/secadv_20190311.txt
Third Party Advisory https://usn.ubuntu.com/3921-1/
Third Party Advisory https://wiki.shibboleth.net/confluence/display/SP3/SecurityAdvisories
43
/ 100
moderate-risk
Severity 26/34 · High
Exploitability 3/34 · Minimal
Exposure 14/34 · Moderate