CVE-2019-11068
Advisory lineage Upstream: 0 Downstream: 26
Modified
Published: 10 Apr 2019, 19:38
Last modified:28 May 2026, 18:18
Vulnerability Summary
Overall Risk (default)
high
70/100 CVSS Score
9.8 CRITICAL
v3.1 (nvd)
EPSS Score
1.13% LOW
1% probability +0.14%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
10 Apr 2019, 19:38
Published
Vulnerability first disclosed
28 May 2026, 18:18
Last Modified
Vulnerability information updated
Description
libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded.
CVSS Metrics
- v3.1•CRITICAL•Score: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- v2.0•HIGH•Score: 7.5AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS Trends
Current EPSS score: 1.13%• Percentile: 79%
Affected Systems
- canonical•ubuntu_linux
12.04 | 14.04 | 16.04 | 18.04 | 18.10
- debian•debian_linux
8.0
- fedoraproject•fedora
29 | 30
- netapp•active_iq_unified_manager
na
- netapp•cloud_backup
na
- netapp•e-series_santricity_management_plug-ins
na
- netapp•e-series_santricity_os_controller
≥ 11.0, ≤ 11.70.2
- netapp•e-series_santricity_storage_manager
na
- netapp•e-series_santricity_unified_manager
na
- netapp•e-series_santricity_web_services_proxy
na
- netapp•element_software
na
- netapp•hci_management_node
na
- netapp•oncommand_insight
na
- netapp•oncommand_workflow_automation
na
- netapp•plug-in_for_symantec_netbackup
na
- netapp•santricity_unified_manager
na
- netapp•snapmanager
na
- netapp•solidfire
na
- netapp•steelstore_cloud_integrated_storage
na
- opensuse•leap
15.0 | 15.1 | 42.3
- oracle•jdk
8.0:update_221
- xmlsoft•libxslt
≤ 1.1.33
References (16)
- https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6
- https://lists.debian.org/debian-lts-announce/2019/04/msg00016.html
- https://usn.ubuntu.com/3947-2/
- http://www.openwall.com/lists/oss-security/2019/04/22/1
- https://usn.ubuntu.com/3947-1/
- http://www.openwall.com/lists/oss-security/2019/04/23/5
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00048.html
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00053.html
- http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00052.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00025.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36TEYN37XCCKN2XUMRTBBW67BPNMSW4K/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SK4YNISS22MJY22YX5I6V2U63QZAUEHA/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GCOAX2IHUMKCM3ILHTMGLHCDSBTLP2JU/
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00001.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://security.netapp.com/advisory/ntap-20191017-0001/