CVE-2019-11068

Name
CVE-2019-11068
Description
libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded.
NVD Severity
high
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Patch https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6
Mailing List https://lists.debian.org/debian-lts-announce/2019/04/msg00016.html
Third Party Advisory https://usn.ubuntu.com/3947-2/
Mailing List http://www.openwall.com/lists/oss-security/2019/04/22/1
Third Party Advisory https://usn.ubuntu.com/3947-1/
Mailing List http://www.openwall.com/lists/oss-security/2019/04/23/5
SUSE http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00048.html
SUSE http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00053.html
SUSE http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00052.html
SUSE http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00025.html
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/36TEYN37XCCKN2XUMRTBBW67BPNMSW4K/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SK4YNISS22MJY22YX5I6V2U63QZAUEHA/
FEDORA https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCOAX2IHUMKCM3ILHTMGLHCDSBTLP2JU/
SUSE http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00001.html
MISC https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
CONFIRM https://security.netapp.com/advisory/ntap-20191017-0001/

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:xmlsoft:libxslt:*:*:*:*:*:*:*:* libxslt >= None <= 1.1.33

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
libxslt edge-main 1.1.33-r3 None fixed
libxslt edge-main 1.1.33-r1 None fixed
libxslt edge-main 1.1.29-r1 None possibly vulnerable
libxslt 3.22-main 1.1.33-r3 None fixed
libxslt 3.22-main 1.1.33-r1 None fixed
libxslt 3.22-main 1.1.29-r1 None possibly vulnerable
libxslt 3.21-main 1.1.33-r3 None fixed
libxslt 3.21-main 1.1.33-r1 None fixed
libxslt 3.21-main 1.1.29-r1 None possibly vulnerable
libxslt 3.20-main 1.1.33-r3 None fixed
libxslt 3.20-main 1.1.33-r1 None fixed
libxslt 3.20-main 1.1.29-r1 None possibly vulnerable
libxslt 3.19-main 1.1.33-r3 None fixed
libxslt 3.19-main 1.1.33-r1 None fixed
libxslt 3.19-main 1.1.29-r1 None possibly vulnerable
libxslt 3.18-main 1.1.33-r1 None fixed
libxslt 3.17-main 1.1.33-r1 None fixed
libxslt 3.12-main 1.1.33-r1 None fixed
libxslt 3.11-main 1.1.33-r1 None fixed
libxslt 3.10-main 1.1.33-r1 None fixed