CVE-2019-9628 - OpenCVE

The XMLTooling library all versions prior to V3.0.4, provided with the OpenSAML and Shibboleth Service Provider software, contains an XML parsing class. Invalid data in the XML declaration causes an exception of a type that was not handled properly in the parser class and propagates an unexpected exception type.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

AV:N/AC:L/Au:N/C:N/I:N/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Canonical	Ubuntu Linux
Opensuse	Leap
Xmltooling Project	Xmltooling

Configuration 1 [-]

cpe:2.3:a:xmltooling_project:xmltooling:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:canonical:ubuntu_linux:14.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:16.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:18.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:18.10:::::::*

Configuration 3 [-]

OR	cpe:2.3:o:opensuse:leap:15.0:::::::*
	cpe:2.3:o:opensuse:leap:42.3:::::::*

References

Link	Resource
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00079.html	Mailing List Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00095.html	Mailing List Third Party Advisory
https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1819912	Issue Tracking Third Party Advisory
https://security.netapp.com/advisory/ntap-20190611-0003/	Third Party Advisory
https://shibboleth.net/community/advisories/secadv_20190311.txt	Third Party Advisory
https://usn.ubuntu.com/3921-1/	Third Party Advisory
https://wiki.shibboleth.net/confluence/display/SP3/SecurityAdvisories	Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2019-04-11T19:26:11

Updated: 2019-06-11T22:06:05

Reserved: 2019-03-07T00:00:00

Link: CVE-2019-9628

JSON object: View

NVD Information

Status : Analyzed

Published: 2019-04-11T20:29:00.837

Modified: 2022-04-18T17:32:48.363

Link: CVE-2019-9628

JSON object: View

Redhat Information

No data.

CWE

CWE-755

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2019-03-13T00:00:00", "descriptions": [{"lang": "en", "value": "The XMLTooling library all versions prior to V3.0.4, provided with the OpenSAML and Shibboleth Service Provider software, contains an XML parsing class. Invalid data in the XML declaration causes an exception of a type that was not handled properly in the parser class and propagates an unexpected exception type."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-06-11T22:06:05", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://shibboleth.net/community/advisories/secadv_20190311.txt"}, {"name": "USN-3921-1", "tags": ["vendor-advisory", "x_refsource_UBUNTU"], "url": "https://usn.ubuntu.com/3921-1/"}, {"tags": ["x_refsource_MISC"], "url": "https://wiki.shibboleth.net/confluence/display/SP3/SecurityAdvisories"}, {"tags": ["x_refsource_MISC"], "url": "https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1819912"}, {"name": "openSUSE-SU-2019:1235", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00079.html"}, {"name": "openSUSE-SU-2019:1276", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00095.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://security.netapp.com/advisory/ntap-20190611-0003/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-9628", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The XMLTooling library all versions prior to V3.0.4, provided with the OpenSAML and Shibboleth Service Provider software, contains an XML parsing class. Invalid data in the XML declaration causes an exception of a type that was not handled properly in the parser class and propagates an unexpected exception type."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://shibboleth.net/community/advisories/secadv_20190311.txt", "refsource": "MISC", "url": "https://shibboleth.net/community/advisories/secadv_20190311.txt"}, {"name": "USN-3921-1", "refsource": "UBUNTU", "url": "https://usn.ubuntu.com/3921-1/"}, {"name": "https://wiki.shibboleth.net/confluence/display/SP3/SecurityAdvisories", "refsource": "MISC", "url": "https://wiki.shibboleth.net/confluence/display/SP3/SecurityAdvisories"}, {"name": "https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1819912", "refsource": "MISC", "url": "https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1819912"}, {"name": "openSUSE-SU-2019:1235", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00079.html"}, {"name": "openSUSE-SU-2019:1276", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00095.html"}, {"name": "https://security.netapp.com/advisory/ntap-20190611-0003/", "refsource": "CONFIRM", "url": "https://security.netapp.com/advisory/ntap-20190611-0003/"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-9628", "datePublished": "2019-04-11T19:26:11", "dateReserved": "2019-03-07T00:00:00", "dateUpdated": "2019-06-11T22:06:05", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xmltooling_project:xmltooling:*:*:*:*:*:*:*:*", "matchCriteriaId": "6603E9FB-CFBF-4F63-A4C7-E2D7D7C1616F", "versionEndExcluding": "3.0.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*", "matchCriteriaId": "B5A6F2F3-4894-4392-8296-3B8DD2679084", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "matchCriteriaId": "F7016A2A-8365-4F1A-89A2-7A19F2BCAE5B", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*", "matchCriteriaId": "07C312A0-CD2C-4B9C-B064-6409B25C278F", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*", "matchCriteriaId": "F1E78106-58E6-4D59-990F-75DA575BFAD9", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*", "matchCriteriaId": "5F65DAB0-3DAD-49FF-BC73-3581CC3D5BF3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The XMLTooling library all versions prior to V3.0.4, provided with the OpenSAML and Shibboleth Service Provider software, contains an XML parsing class. Invalid data in the XML declaration causes an exception of a type that was not handled properly in the parser class and propagates an unexpected exception type."}, {"lang": "es", "value": "La libreria XMLTooling, en todas las versiones anteriores a la V3.0.4, suministrada con el software OpenSAML y Shibboleth Service Provider, contiene una clase de parser XML. Los datos no v\u00e1lidos en la declaraci\u00f3n XML causan una excepci\u00f3n de un tipo debido a que se manej\u00f3 de forma incorrecta en la clase parser y propaga un tipo de excepci\u00f3n inesperado."}], "id": "CVE-2019-9628", "lastModified": "2022-04-18T17:32:48.363", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-04-11T20:29:00.837", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00079.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00095.html"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1819912"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20190611-0003/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://shibboleth.net/community/advisories/secadv_20190311.txt"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/3921-1/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://wiki.shibboleth.net/confluence/display/SP3/SecurityAdvisories"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-755"}], "source": "nvd@nist.gov", "type": "Primary"}]}