CVE-2019-9628

HIGH

XMLTooling <V3.0.4 - Info Disclosure

Title source: llm

Description

The XMLTooling library all versions prior to V3.0.4, provided with the OpenSAML and Shibboleth Service Provider software, contains an XML parsing class. Invalid data in the XML declaration causes an exception of a type that was not handled properly in the parser class and propagates an unexpected exception type.

References (7)

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00079.html

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00095.html

[Issue Tracking, Third Party Advisory] https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1819912

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20190611-0003/

[Third Party Advisory] https://shibboleth.net/community/advisories/secadv_20190311.txt

[Third Party Advisory] https://usn.ubuntu.com/3921-1/

[Third Party Advisory] https://wiki.shibboleth.net/confluence/display/SP3/SecurityAdvisories

Scores

CVSS v3 7.5

EPSS 0.0080

EPSS Percentile 73.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Classification

CWE

CWE-755

Status published

Affected Products (8)

xmltooling_project/xmltooling < 3.0.4

canonical/ubuntu_linux

canonical/ubuntu_linux

canonical/ubuntu_linux

canonical/ubuntu_linux

opensuse/leap

opensuse/leap

org.opensaml/xmltooling < 3.0.4Maven

Timeline

Published Apr 11, 2019

Tracked Since Feb 18, 2026