{
  "threat_severity" : "Moderate",
  "public_date" : "2019-04-10T00:00:00Z",
  "bugzilla" : {
    "description" : "libxslt: xsltCheckRead and xsltCheckWrite routines security bypass by crafted URL",
    "id" : "1709697",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1709697"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.3",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L",
    "status" : "verified"
  },
  "cwe" : "CWE-284",
  "details" : [ "libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded." ],
  "statement" : "Red Hat OpenStack will consume fixes from the base Red Hat Enterprise Linux Operating System. Therefore the package provided by Red Hat OpenStack has been marked as will not fix.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2020-09-29T00:00:00Z",
    "advisory" : "RHSA-2020:4005",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "libxslt-0:1.1.28-6.el7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2020-11-04T00:00:00Z",
    "advisory" : "RHSA-2020:4464",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "libxslt-0:1.1.32-5.el8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2020-11-04T00:00:00Z",
    "advisory" : "RHSA-2020:4464",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "libxslt-0:1.1.32-5.el8"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Will not fix",
    "package_name" : "libxslt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Will not fix",
    "package_name" : "libxslt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat OpenStack Platform 10 (Newton)",
    "fix_state" : "Will not fix",
    "package_name" : "libxslt",
    "cpe" : "cpe:/a:redhat:openstack:10"
  }, {
    "product_name" : "Red Hat OpenStack Platform 13 (Queens)",
    "fix_state" : "Will not fix",
    "package_name" : "libxslt",
    "cpe" : "cpe:/a:redhat:openstack:13"
  }, {
    "product_name" : "Red Hat OpenStack Platform 14 (Rocky)",
    "fix_state" : "Will not fix",
    "package_name" : "libxslt",
    "cpe" : "cpe:/a:redhat:openstack:14"
  }, {
    "product_name" : "Red Hat OpenStack Platform 9 (Mitaka)",
    "fix_state" : "Will not fix",
    "package_name" : "libxslt",
    "cpe" : "cpe:/a:redhat:openstack:9"
  }, {
    "product_name" : "Red Hat Storage 3",
    "fix_state" : "Will not fix",
    "package_name" : "libxslt",
    "cpe" : "cpe:/a:redhat:storage:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-11068\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-11068" ],
  "name" : "CVE-2019-11068",
  "mitigation" : {
    "value" : "This flaw only applies to applications compiled against libxml2 which use xsltCheckRead and xsltCheckWrite functions and/or allow users to load arbitrary URLs to be parsed via libxml2. In all other cases, applications are not vulnerable.",
    "lang" : "en:us"
  },
  "csaw" : false
}