Permissions, Privileges, and Access Controls in libxslt (Alpine package)
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2019-11068 |
| CWE-ID | CWE-264 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
libxslt (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Permissions, Privileges, and Access Controls
EUVDB-ID: #VU18276
Risk: Medium
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-11068
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists due to an error within the xsltCheckRead() and xsltCheckWrite() functions when processing requests from remote servers. A remote attacker can trick the victim into opening a specially crafted URL that will result in "-1 error" code but the URL itself will be processed by the application later.
Successful exploitation of the vulnerability may allow an attacker to bypass certain security restrictions and perform XXE attacks.Mitigation
Install update from vendor's website.
Vulnerable software versionslibxslt (Alpine package): 1.1.27-r0 - 1.1.29-r3
CPE2.3- cpe:2.3:o:alpine:libxslt_alpine_package:1.1.27-r0:*:*:*:*:alpine_linux:*:2.1
- cpe:2.3:o:alpine:libxslt_alpine_package:1.1.27-r1:*:*:*:*:alpine_linux:*:2.1
- cpe:2.3:o:alpine:libxslt_alpine_package:1.1.28-r0:*:*:*:*:alpine_linux:*:2.2
https://git.alpinelinux.org/aports/commit/?id=36f4bd78050ec6ce2ad65444031df6c1f3db5cc9
https://git.alpinelinux.org/aports/commit/?id=15d065f8bf5e73b1d88ca046d99933d217781aab
https://git.alpinelinux.org/aports/commit/?id=4281a184d7a2aab9a0f2352a418084cad73ee2dc
https://git.alpinelinux.org/aports/commit/?id=5f61e0e106315c69b9cec8e394286e8cf98c99e2
https://git.alpinelinux.org/aports/commit/?id=8b51ccff6e6b617759f391802b960f04ef4adf46
https://git.alpinelinux.org/aports/commit/?id=e0bf68014c8449196d77264ba2cc6a040051be9a
https://git.alpinelinux.org/aports/commit/?id=ef2dd8d40fec766b73bb686c015aa9e2a52b378b
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
