CVE-2019-9628 - The XMLTooling library all versions prior to V3.0.4, provided with the OpenSAML and Shibboleth Servi

CVE-2019-9628

Summary

The XMLTooling library all versions prior to V3.0.4, provided with the OpenSAML and Shibboleth Service Provider software, contains an XML parsing class. Invalid data in the XML declaration causes an exception of a type that was not handled properly in the parser class and propagates an unexpected exception type.

References

Vulnerable Configurations

cpe:2.3:a:xmltooling_project:xmltooling:1.5.4:*:*:*:*:*:*:*
cpe:2.3:a:xmltooling_project:xmltooling:1.5.4:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*

CVSS

Base:	5.0 (as of 18-04-2022 - 17:32)
Impact:
Exploitability:

CWE

CWE-755

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	NONE

Impact

Confidentiality	Integrity	Availability
NONE	NONE	PARTIAL

cvss-vector via4

AV:N/AC:L/Au:N/C:N/I:N/A:P

refmap via4

confirm	https://security.netapp.com/advisory/ntap-20190611-0003/
misc	https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1819912 https://shibboleth.net/community/advisories/secadv_20190311.txt https://wiki.shibboleth.net/confluence/display/SP3/SecurityAdvisories
suse	openSUSE-SU-2019:1235 openSUSE-SU-2019:1276
ubuntu	USN-3921-1

Last major update

18-04-2022 - 17:32

Published

11-04-2019 - 20:29

Last modified

18-04-2022 - 17:32