CVE-2019-11068

Name: CVE-2019-11068
Creator: NVD / NIST
Published: 2019-04-10T20:29:01.147+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.8/10EPSS 5.23%

Last modified Jun 17, 2026

CVE-2019-11068 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded.. EPSS estimates a 5.23% chance of exploitation in the next 30 days.

Description

libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded.

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

5.23%

91.5th percentile

Probability of exploitation in the next 30 days. Learn more

Affected Software

Vendor	Product	Versions	Update
Xmlsoft	Libxslt	<= 1.1.33	—
Canonical	Ubuntu Linux	12.04	—
Canonical	Ubuntu Linux	14.04	—
Canonical	Ubuntu Linux	16.04	—
Canonical	Ubuntu Linux	18.04	—
Canonical	Ubuntu Linux	18.10	—
Debian	Debian Linux	8.0	—
Fedoraproject	Fedora	29	—
Fedoraproject	Fedora	30	—
Oracle	Jdk	8.0	Update 221
Netapp	Active Iq Unified Manager	All versions	—
Netapp	Cloud Backup	All versions	—
Netapp	E-Series Santricity Management Plug-Ins	All versions	—
Netapp	E-Series Santricity Os Controller	>= 11.0, <= 11.70.2	—
Netapp	E-Series Santricity Storage Manager	All versions	—
Netapp	E-Series Santricity Unified Manager	All versions	—
Netapp	E-Series Santricity Web Services Proxy	All versions	—
Netapp	Element Software	All versions	—
Netapp	Hci Management Node	All versions	—
Netapp	Oncommand Insight	All versions	—
Netapp	Oncommand Workflow Automation	All versions	—
Netapp	Plug-In For Symantec Netbackup	All versions	—
Netapp	Santricity Unified Manager	All versions	—
Netapp	Snapmanager	All versions	—
Netapp	Solidfire	All versions	—
Netapp	Steelstore Cloud Integrated Storage	All versions	—
Opensuse	Leap	15.0	—
Opensuse	Leap	15.1	—
Opensuse	Leap	42.3	—

References

http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00048.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00052.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00053.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00025.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00001.htmlThird Party Advisory
http://www.openwall.com/lists/oss-security/2019/04/22/1Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2019/04/23/5Mailing List, Third Party Advisory
https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6Patch, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/04/msg00016.htmlMailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36TEYN37XCCKN2XUMRTBBW67BPNMSW4K/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GCOAX2IHUMKCM3ILHTMGLHCDSBTLP2JU/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SK4YNISS22MJY22YX5I6V2U63QZAUEHA/
https://security.netapp.com/advisory/ntap-20191017-0001/Third Party Advisory
https://usn.ubuntu.com/3947-1/Third Party Advisory
https://usn.ubuntu.com/3947-2/Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlPatch, Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00048.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00052.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00053.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00025.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00001.htmlThird Party Advisory
http://www.openwall.com/lists/oss-security/2019/04/22/1Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2019/04/23/5Mailing List, Third Party Advisory
https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6Patch, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/04/msg00016.htmlMailing List, Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36TEYN37XCCKN2XUMRTBBW67BPNMSW4K/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GCOAX2IHUMKCM3ILHTMGLHCDSBTLP2JU/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SK4YNISS22MJY22YX5I6V2U63QZAUEHA/
https://security.netapp.com/advisory/ntap-20191017-0001/Third Party Advisory
https://usn.ubuntu.com/3947-1/Third Party Advisory
https://usn.ubuntu.com/3947-2/Third Party Advisory
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlPatch, Third Party Advisory

Timeline

Published: Apr 10, 2019
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2019-11068?

How severe is CVE-2019-11068?

CVE-2019-11068 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 5.23% probability of exploitation in the next 30 days.

How do I fix CVE-2019-11068?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2019-11068?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST