CVE-2019-9628
published 2019-04-11CVE-2019-9628: The XMLTooling library all versions prior to V3.0.4, provided with the OpenSAML and Shibboleth Service Provider software, contains an XML parsing class…
PriorityP339high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
2.05%
78.9th percentile
The XMLTooling library all versions prior to V3.0.4, provided with the OpenSAML and Shibboleth Service Provider software, contains an XML parsing class. Invalid data in the XML declaration causes an exception of a type that was not handled properly in the parser class and propagates an unexpected exception type.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | xmltooling | < xmltooling 3.0.4-1 (bookworm) | xmltooling 3.0.4-1 (bookworm) |
| opensuse | leap | — | — |
| opensuse | leap | — | — |
| xmltooling_project | xmltooling | < 3.0.4 | 3.0.4 |
| xmltooling_project | xmltooling | >= 0 < 3.0.4-1 | 3.0.4-1 |
| xmltooling_project | xmltooling | >= 0 < 3.0.4-1 | 3.0.4-1 |
| xmltooling_project | xmltooling | >= 0 < 3.0.4-1 | 3.0.4-1 |
| xmltooling_project | xmltooling | >= 0 < 3.0.4-1 | 3.0.4-1 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
XMLTooling Library Incorrectly Handles Some Exceptions
ghsa·2022-05-13
CVE-2019-9628 [HIGH] CWE-755 XMLTooling Library Incorrectly Handles Some Exceptions
XMLTooling Library Incorrectly Handles Some Exceptions
The XMLTooling library all versions prior to V3.0.4, provided with the OpenSAML and Shibboleth Service Provider software, contains an XML parsing class. Invalid data in the XML declaration causes an exception of a type that was not handled properly in the parser class and propagates an unexpected exception type.
OSV
CVE-2019-9628: The XMLTooling library all versions prior to V3
osv·2019-04-11·CVSS 7.5
CVE-2019-9628 [HIGH] CVE-2019-9628: The XMLTooling library all versions prior to V3
The XMLTooling library all versions prior to V3.0.4, provided with the OpenSAML and Shibboleth Service Provider software, contains an XML parsing class. Invalid data in the XML declaration causes an exception of a type that was not handled properly in the parser class and propagates an unexpected exception type.
Ubuntu
XMLTooling vulnerability
vendor_ubuntu·2019-03-26
CVE-2019-9628 XMLTooling vulnerability
Title: XMLTooling vulnerability
Summary: xmltooling could be made to crash if it opened a specially crafted file.
It was discovered that XMLTooling incorrectly handled certain XML files with
invalid data. An attacker could use this issue to cause XMLTooling to crash,
resulting in a denial of service.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
xmltooling: XML parser class fails to trap exceptions on malformed XML declaration
vendor_redhat·2019-03-11·CVSS 7.5
CVE-2019-9628 [HIGH] CWE-20 xmltooling: XML parser class fails to trap exceptions on malformed XML declaration
xmltooling: XML parser class fails to trap exceptions on malformed XML declaration
The XMLTooling library all versions prior to V3.0.4, provided with the OpenSAML and Shibboleth Service Provider software, contains an XML parsing class. Invalid data in the XML declaration causes an exception of a type that was not handled properly in the parser class and propagates an unexpected exception type.
Package: xmltooling (Red Hat JBoss Data Grid 6) - Out of support scope
Package: xmltooling (Red Hat JBoss Data Virtualization 6) - Out of support scope
Package: xmltooling (Red Hat JBoss Enterprise Application Platform 6) - Out of support scope
Package: xmltooling (Red Hat JBoss Fuse 6) - Out of support scope
Package: xmltooling (Red Hat JBoss Fuse Service Works 6) - Out of support scope
Packa
Debian
CVE-2019-9628: xmltooling - The XMLTooling library all versions prior to V3.0.4, provided with the OpenSAML ...
vendor_debian·2019·CVSS 7.5
CVE-2019-9628 [HIGH] CVE-2019-9628: xmltooling - The XMLTooling library all versions prior to V3.0.4, provided with the OpenSAML ...
The XMLTooling library all versions prior to V3.0.4, provided with the OpenSAML and Shibboleth Service Provider software, contains an XML parsing class. Invalid data in the XML declaration causes an exception of a type that was not handled properly in the parser class and propagates an unexpected exception type.
Scope: local
bookworm: resolved (fixed in 3.0.4-1)
bullseye: resolved (fixed in 3.0.4-1)
forky: resolved (fixed in 3.0.4-1)
sid: resolved (fixed in 3.0.4-1)
trixie: resolved (fixed in 3.0.4-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-9628 xmltooling: XML parser class fails to trap exceptions on malformed XML declaration
bugzilla·2019-04-04·CVSS 7.5
CVE-2019-9628 [HIGH] CVE-2019-9628 xmltooling: XML parser class fails to trap exceptions on malformed XML declaration
CVE-2019-9628 xmltooling: XML parser class fails to trap exceptions on malformed XML declaration
A flaw was found in Shibolleth xmltooling before version 3.0.4. Invalid data in the XML declaration causes an exception of a type that was not handled properly in the parser class and propagates an unexpected exception type that can lead to a server crash and denial of service.
Upstream patch:
https://git.shibboleth.net/view/?p=cpp-xmltooling.git;a=commit;h=af27c422f551e16989ff6f1722d83614c8550eb5
References:
https://shibboleth.net/community/advisories/secadv_20190311.txt
Discussion:
Created xmltooling tracking bugs for this issue:
Affects: fedora-all [bug 1695998]
---
This vulnerability is out of security support scope for the following products:
* Red Hat JBoss Fuse Service Works 6
Bugzilla
CVE-2019-9628 xmltooling: XML parser class fails to trap exceptions on malformed XML declaration [fedora-all]
bugzilla·2019-04-04·CVSS 7.5
CVE-2019-9628 [HIGH] CVE-2019-9628 xmltooling: XML parser class fails to trap exceptions on malformed XML declaration [fedora-all]
CVE-2019-9628 xmltooling: XML parser class fails to trap exceptions on malformed XML declaration [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue aff
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00079.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-04/msg00095.htmlhttps://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1819912https://security.netapp.com/advisory/ntap-20190611-0003/https://shibboleth.net/community/advisories/secadv_20190311.txthttps://usn.ubuntu.com/3921-1/https://wiki.shibboleth.net/confluence/display/SP3/SecurityAdvisorieshttp://lists.opensuse.org/opensuse-security-announce/2019-04/msg00079.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-04/msg00095.htmlhttps://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1819912https://security.netapp.com/advisory/ntap-20190611-0003/https://shibboleth.net/community/advisories/secadv_20190311.txthttps://usn.ubuntu.com/3921-1/https://wiki.shibboleth.net/confluence/display/SP3/SecurityAdvisories
2019-04-11
Published