{"id":"CVE-2019-11068","details":"libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded.","aliases":["GHSA-qxcg-xjjg-66mj"],"modified":"2026-04-16T04:31:39.491954536Z","published":"2019-04-10T20:29:01.147Z","related":["SUSE-SU-2019:1221-1","SUSE-SU-2019:1221-2","SUSE-SU-2019:1232-1","SUSE-SU-2019:1381-1","SUSE-SU-2019:1862-1","SUSE-SU-2019:1973-1","SUSE-SU-2019:2046-1","openSUSE-SU-2019:1428-1","openSUSE-SU-2019:1433-1","openSUSE-SU-2019:1527-1","openSUSE-SU-2019:1824-1","openSUSE-SU-2024:10589-1","openSUSE-SU-2024:11017-1","openSUSE-SU-2024:11340-1","openSUSE-SU-2024:11912-1","openSUSE-SU-2024:13165-1","openSUSE-SU-2024:14174-1","openSUSE-SU-2025:14697-1","openSUSE-SU-2026:10356-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GCOAX2IHUMKCM3ILHTMGLHCDSBTLP2JU/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SK4YNISS22MJY22YX5I6V2U63QZAUEHA/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/36TEYN37XCCKN2XUMRTBBW67BPNMSW4K/"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2019/04/msg00016.html"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3947-1/"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2019/04/23/5"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20191017-0001/"},{"type":"ADVISORY","url":"https://usn.ubuntu.com/3947-2/"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00053.html"},{"type":"ADVISORY","url":"http://www.openwall.com/lists/oss-security/2019/04/22/1"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00001.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00048.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00052.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00025.html"},{"type":"FIX","url":"https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"},{"type":"FIX","url":"https://gitlab.gnome.org/GNOME/libxslt/commit/e03553605b45c88f0b4b2980adfbbb8f6fca2fd6"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://gitlab.gnome.org/GNOME/libxslt","events":[{"introduced":"0"},{"last_affected":"f1eb717f04d9cc297cc5e58e94b81ac96f47e741"},{"fixed":"e03553605b45c88f0b4b2980adfbbb8f6fca2fd6"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.1.33"}]}}],"versions":["1.1.23","1.1.24","CVE-2015-7995","LIBXSLT_0_0_0","LIBXSLT_0_10_0","LIBXSLT_0_11_0","LIBXSLT_0_12_0","LIBXSLT_0_13_0","LIBXSLT_0_14_0","LIBXSLT_0_1_0","LIBXSLT_0_3_0","LIBXSLT_0_4_0","LIBXSLT_0_6_0","LIBXSLT_0_7_0","LIBXSLT_0_8_0","LIBXSLT_0_9_0","LIBXSLT_1_0_0","LIBXSLT_1_0_10","LIBXSLT_1_0_11","LIBXSLT_1_0_12","LIBXSLT_1_0_13","LIBXSLT_1_0_14","LIBXSLT_1_0_16","LIBXSLT_1_0_17","LIBXSLT_1_0_18","LIBXSLT_1_0_19","LIBXSLT_1_0_2","LIBXSLT_1_0_20","LIBXSLT_1_0_21","LIBXSLT_1_0_22","LIBXSLT_1_0_23","LIBXSLT_1_0_24","LIBXSLT_1_0_25","LIBXSLT_1_0_26","LIBXSLT_1_0_27","LIBXSLT_1_0_28","LIBXSLT_1_0_29","LIBXSLT_1_0_3","LIBXSLT_1_0_30","LIBXSLT_1_0_31","LIBXSLT_1_0_32","LIBXSLT_1_0_33","LIBXSLT_1_0_4","LIBXSLT_1_0_5","LIBXSLT_1_0_6","LIBXSLT_1_0_7","LIBXSLT_1_0_8","LIBXSLT_1_0_9","LIBXSLT_1_1_0","LIBXSLT_1_1_1","LIBXSLT_1_1_10","LIBXSLT_1_1_11","LIBXSLT_1_1_12","LIBXSLT_1_1_13","LIBXSLT_1_1_14","LIBXSLT_1_1_15","LIBXSLT_1_1_16","LIBXSLT_1_1_17","LIBXSLT_1_1_18","LIBXSLT_1_1_2","LIBXSLT_1_1_21","LIBXSLT_1_1_22","LIBXSLT_1_1_3","LIBXSLT_1_1_4","LIBXSLT_1_1_5","LIBXSLT_1_1_6","LIBXSLT_1_1_7","LIBXSLT_1_1_8","LIBXSLT_1_1_9","LIXSLT_0_5_0","v1.1.25","v1.1.26","v1.1.27","v1.1.27-rc1","v1.1.28","v1.1.29","v1.1.29-rc1","v1.1.29-rc2","v1.1.30","v1.1.30-rc1","v1.1.30-rc2","v1.1.31","v1.1.31-rc1","v1.1.31-rc2","v1.1.32","v1.1.32-rc1","v1.1.32-rc2","v1.1.33","v1.1.33-rc1","v1.1.33-rc2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2019-11068.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"12.04"}]},{"events":[{"introduced":"0"},{"last_affected":"14.04"}]},{"events":[{"introduced":"0"},{"last_affected":"16.04"}]},{"events":[{"introduced":"0"},{"last_affected":"18.04"}]},{"events":[{"introduced":"0"},{"last_affected":"18.10"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"29"}]},{"events":[{"introduced":"0"},{"last_affected":"30"}]},{"events":[{"introduced":"0"},{"last_affected":"8.0-update_221"}]},{"events":[{"introduced":"11.0"},{"last_affected":"11.70.2"}]},{"events":[{"introduced":"0"},{"last_affected":"15.0"}]},{"events":[{"introduced":"0"},{"last_affected":"15.1"}]},{"events":[{"introduced":"0"},{"last_affected":"42.3"}]}],"vanir_signatures":[{"id":"CVE-2019-11068-0db44094","signature_version":"v1","target":{"file":"libxslt/imports.c","function":"xsltParseStylesheetImport"},"source":"https://gitlab.gnome.org/GNOME/libxslt@e03553605b45c88f0b4b2980adfbbb8f6fca2fd6","deprecated":false,"digest":{"function_hash":"302416921412859415376096746446527180075","length":1645},"signature_type":"Function"},{"id":"CVE-2019-11068-154d8152","signature_version":"v1","target":{"file":"libxslt/xslt.c"},"source":"https://gitlab.gnome.org/GNOME/libxslt@e03553605b45c88f0b4b2980adfbbb8f6fca2fd6","deprecated":false,"digest":{"threshold":0.9,"line_hashes":["140032315845821796802752775307963626919","213217011618512885795834152198975711490","226116215600954996150777246084535115480","186212241064506231879703455046072025342","286563214419529547555945137053722022774","326546873208965902369979429190161724601","316688534615298657799450951185100178784"]},"signature_type":"Line"},{"id":"CVE-2019-11068-3064eeb4","signature_version":"v1","target":{"file":"libxslt/imports.c"},"digest":{"threshold":0.9,"line_hashes":["85197162534367973800327175405805729261","242322063007795290270019507664519251725","143940344313547574587645136104783274540","228787933629541537163197103905468215159","179265513524088567783138913366521859924","110056734750921969617038576298525954929","310569582871120465384699988241425545575"]},"deprecated":false,"source":"https://gitlab.gnome.org/GNOME/libxslt@e03553605b45c88f0b4b2980adfbbb8f6fca2fd6","signature_type":"Line"},{"id":"CVE-2019-11068-4acbe75f","source":"https://gitlab.gnome.org/GNOME/libxslt@e03553605b45c88f0b4b2980adfbbb8f6fca2fd6","target":{"file":"libxslt/documents.c"},"signature_version":"v1","deprecated":false,"signature_type":"Line","digest":{"threshold":0.9,"line_hashes":["314011119010095647014477432094708461628","16267224672623018506906692486928113128","62092043479254313971681097274583898857","125016796470570232654018743904308459162","217218303520523696049496046179453405816","170373645481298204357515116471410137281","241154543692016859613236090630400963155","186742267024944420359121909199236615256","17902529306953328973111081281617669624","82612625329044732956509656205848245461","145558063285484301343146595397148944961","268905623376274552184164890426168339579","278265835298245213571320986700743344857","241154543692016859613236090630400963155"]}},{"id":"CVE-2019-11068-6c4af62f","signature_version":"v1","target":{"file":"libxslt/documents.c","function":"xsltLoadStyleDocument"},"digest":{"function_hash":"209985456054976489622231891923134047522","length":778},"deprecated":false,"source":"https://gitlab.gnome.org/GNOME/libxslt@e03553605b45c88f0b4b2980adfbbb8f6fca2fd6","signature_type":"Function"},{"id":"CVE-2019-11068-8fc6981e","signature_version":"v1","target":{"file":"libxslt/transform.c"},"source":"https://gitlab.gnome.org/GNOME/libxslt@e03553605b45c88f0b4b2980adfbbb8f6fca2fd6","deprecated":false,"signature_type":"Line","digest":{"line_hashes":["90387017709684578344532056308518715629","169296172446583580066508587657545684622","129557452112480492416004573798242511670","264518243095327234110828047005224829200","161915831349098538764366124637545373781","173532098141804122581359035813162260735","25220346494832457339677042270878882370"],"threshold":0.9}},{"id":"CVE-2019-11068-a932385c","signature_version":"v1","target":{"file":"libxslt/transform.c","function":"xsltDocumentElem"},"source":"https://gitlab.gnome.org/GNOME/libxslt@e03553605b45c88f0b4b2980adfbbb8f6fca2fd6","deprecated":false,"signature_type":"Function","digest":{"function_hash":"250888866097497092461426752487096200325","length":10469}},{"id":"CVE-2019-11068-f264928b","signature_version":"v1","target":{"file":"libxslt/xslt.c","function":"xsltParseStylesheetFile"},"source":"https://gitlab.gnome.org/GNOME/libxslt@e03553605b45c88f0b4b2980adfbbb8f6fca2fd6","deprecated":false,"digest":{"function_hash":"23362803898696358080868369925092806868","length":806},"signature_type":"Function"},{"id":"CVE-2019-11068-f98af468","source":"https://gitlab.gnome.org/GNOME/libxslt@e03553605b45c88f0b4b2980adfbbb8f6fca2fd6","target":{"file":"libxslt/documents.c","function":"xsltLoadDocument"},"signature_version":"v1","deprecated":false,"signature_type":"Function","digest":{"function_hash":"180039127365859454326425206242842232800","length":1200}}],"vanir_signatures_modified":"2026-04-11T08:55:43Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}