CVE-2019-9628
Description
The XMLTooling library all versions prior to V3.0.4, provided with the OpenSAML and Shibboleth Service Provider software, contains an XML parsing class. Invalid data in the XML declaration causes an exception of a type that was not handled properly in the parser class and propagates an unexpected exception type.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Improper exception handling in XMLTooling before V3.0.4 causes denial-of-service via malformed XML declarations in OpenSAML and Shibboleth SP.
Vulnerability
The XMLTooling library, included with OpenSAML and Shibboleth Service Provider software, contains an XML parsing class that fails to properly handle exceptions triggered by malformed XML declarations. Invalid data in the XML declaration causes an exception of an unexpected type to propagate unhandled, leading to a crash of the calling application [1][4].
Exploitation
The crash occurs before any message authenticity evaluation, allowing an untrusted attacker to trigger the denial-of-service by sending a crafted XML declaration to a service using the vulnerable library. No authentication is required; the attack can be performed remotely over the network [4]. This vulnerability is not limited to V3 of XMLTooling; it is believed to affect all versions prior to 3.0.4 [4].
Impact
Successful exploitation results in a denial-of-service (DoS) condition. In typical Shibboleth SP deployments, this manifests as a crash of the shibd daemon process, but can also affect Apache HTTPD in some configurations [4]. The attacker gains no ability to read or modify data, but can disrupt service availability.
Mitigation
The vulnerability is remediated in XMLTooling version 3.0.4. The Shibboleth SP V3.0.4 patch release includes the updated library for Windows; Linux and other platforms should update the xmltooling package to 3.0.4 or later [4]. Ubuntu packages have been fixed as of 2019 via the Launchpad bug tracker [1]. No workarounds are documented.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.opensaml:xmltoolingMaven | < 3.0.4 | 3.0.4 |
Affected products
9- Range: <3.0.4
- ghsa-coords8 versionspkg:maven/org.opensaml/xmltoolingpkg:rpm/suse/xmltooling&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015pkg:rpm/suse/xmltooling&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/xmltooling&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/xmltooling&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/xmltooling&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/xmltooling&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3pkg:rpm/suse/xmltooling&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP4
< 3.0.4+ 7 more
- (no CPE)range: < 3.0.4
- (no CPE)range: < 1.6.4-3.3.2
- (no CPE)range: < 1.5.6-3.9.1
- (no CPE)range: < 1.5.6-3.9.1
- (no CPE)range: < 1.5.6-3.9.1
- (no CPE)range: < 1.5.6-3.9.1
- (no CPE)range: < 1.5.6-3.9.1
- (no CPE)range: < 1.5.6-3.9.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
11- lists.opensuse.org/opensuse-security-announce/2019-04/msg00079.htmlghsavendor-advisoryx_refsource_SUSEWEB
- lists.opensuse.org/opensuse-security-announce/2019-04/msg00095.htmlghsavendor-advisoryx_refsource_SUSEWEB
- github.com/advisories/GHSA-6hvf-xvwm-vrw4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-9628ghsaADVISORY
- usn.ubuntu.com/3921-1/mitrevendor-advisoryx_refsource_UBUNTU
- bugs.launchpad.net/ubuntu/+source/xmltooling/+bug/1819912ghsax_refsource_MISCWEB
- security.netapp.com/advisory/ntap-20190611-0003ghsaWEB
- security.netapp.com/advisory/ntap-20190611-0003/mitrex_refsource_CONFIRM
- shibboleth.net/community/advisories/secadv_20190311.txtghsax_refsource_MISCWEB
- usn.ubuntu.com/3921-1ghsaWEB
- wiki.shibboleth.net/confluence/display/SP3/SecurityAdvisoriesghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.