Description
The XMLTooling library all versions prior to V3.0.4, provided with the OpenSAML and Shibboleth Service Provider software, contains an XML parsing class. Invalid data in the XML declaration causes an exception of a type that was not handled properly in the parser class and propagates an unexpected exception type.
References (7)
Core 7
Core References
Third Party Advisory x_refsource_misc
https://shibboleth.net/community/advisories/secadv_20190311.txt
Third Party Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/3921-1/
Third Party Advisory x_refsource_misc
https://wiki.shibboleth.net/confluence/display/SP3/SecurityAdvisories
Issue Tracking, Third Party Advisory x_refsource_misc
https://bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1819912
Mailing List, Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00079.html
Mailing List, Third Party Advisory vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00095.html
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20190611-0003/
Scores
CVSS v3
7.5
EPSS
0.0080
EPSS Percentile
74.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-755
Status
published
Products (8)
canonical/ubuntu_linux
14.04
canonical/ubuntu_linux
16.04
canonical/ubuntu_linux
18.04
canonical/ubuntu_linux
18.10
opensuse/leap
15.0
opensuse/leap
42.3
org.opensaml/xmltooling
0 - 3.0.4Maven
xmltooling_project/xmltooling
< 3.0.4
Published
Apr 11, 2019
Tracked Since
Feb 18, 2026