Published: 11/04/2019 Updated: 11/06/2019
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 445
Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Vulnerability Summary

A vulnerability in the XMLTooling-C library of Shibboleth Service Provider could allow an unauthenticated, remote malicious user to cause a denial of service (DoS) condition on a targeted system. The vulnerability exists because the affected software mishandles invalid data in the XML declaration. An attacker could exploit this vulnerability by submitting crafted XML input to a targeted system. A successful exploit could cause the application to crash, resulting in a DoS condition. Shibboleth Consortium has confirmed the vulnerability and released software updates.

Vulnerability Trend

Affected Products

Vendor Product Versions
Xmltooling ProjectXmltooling1.5.4
CanonicalUbuntu Linux14.04, 16.04, 18.04, 18.10
OpensuseLeap15.0, 42.3

Vendor Advisories

Ross Geerlings discovered that the XMLTooling library didn't correctly handle exceptions on malformed XML declarations, which could result in denial of service against the application using XMLTooling For the stable distribution (stretch), this problem has been fixed in version 160-4+deb9u2 We recommend that you upgrade your xmltooling packages ...
xmltooling could be made to crash if it opened a specially crafted file ...
Debian Bug report logs - #924346 xmltooling: CVE-2019-9628: XML parser class fails to trap exceptions on malformed XML declaration Package: src:xmltooling; Maintainer for src:xmltooling is Debian Shib Team <pkg-shibboleth-devel@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Mon, ...

Mailing Lists

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4407-1 security () debian org wwwdebianorg/security/ Moritz Muehlenhoff March 12, 2019 wwwdebianorg/security/faq ...