Published: 03/10/2012 Updated: 15/02/2024

CVSS v2 Base Score: 4 | Impact Score: 2.9 | Exploitability Score: 8

CVSS v3 Base Score: 6.5 | Impact Score: 3.6 | Exploitability Score: 2.8

VMScore: 358

Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N

The xml_parse function in the libxml2 support in the core server component in PostgreSQL 8.3 prior to 8.3.20, 8.4 prior to 8.4.13, 9.0 prior to 9.0.9, and 9.1 prior to 9.1.5 allows remote authenticated users to determine the existence of arbitrary files or URLs, and possibly obtain file or URL content that triggers a parsing error, via an XML value that refers to (1) a DTD or (2) an entity, related to an XML External Entity (aka XXE) issue.

Vulnerable Product	Search on Vulmon	Subscribe to Product
postgresql postgresql
opensuse opensuse 11.4
opensuse opensuse 12.2
opensuse opensuse 12.1
apple mac os x server 10.6.8
apple mac os x server
canonical ubuntu linux 11.04
canonical ubuntu linux 11.10
canonical ubuntu linux 8.04
canonical ubuntu linux 10.04
canonical ubuntu linux 12.04
debian debian linux 6.0
redhat enterprise linux server 5.0
redhat enterprise linux workstation 5.0
redhat enterprise linux desktop 6.0
redhat enterprise linux server 6.0
redhat enterprise linux workstation 6.0
redhat enterprise linux desktop 5.0
redhat enterprise linux eus 6.3

Synopsis Moderate: postgresql and postgresql84 security update Type/Severity Security Advisory: Moderate Topic Updated postgresql84 and postgresql packages that fix two security issuesare now available for Red Hat Enterprise Linux 5 and 6 respectivelyThe Red Hat Security Response Team has rated this update ...

PostgreSQL could allow unintended access to files over the network when using the XML2 extension ...

Two vulnerabilities related to XML processing were discovered in PostgreSQL, an SQL database CVE-2012-3488 contrib/xml2's xslt_process() can be used to read and write external files and URLs CVE-2012-3489 xml_parse() fetches external files or URLs to resolve DTD and entity references in XML values This update removes the problematic functi ...

It was found that the optional PostgreSQL xml2 contrib module allowed local files and remote URLs to be read and written to with the privileges of the database server when parsing Extensible Stylesheet Language Transformations (XSLT) An unprivileged database user could use this flaw to read and write to local files (such as the database's configur ...

CWE-611 http://www.postgresql.org/docs/8.3/static/release-8-3-20.html http://www.postgresql.org/support/security/http://www.postgresql.org/docs/9.1/static/release-9-1-5.html http://www.postgresql.org/docs/8.4/static/release-8-4-13.html https://bugzilla.redhat.com/show_bug.cgi?id=849173 http://www.postgresql.org/docs/9.0/static/release-9-0-9.html http://www.postgresql.org/about/news/1407/http://lists.opensuse.org/opensuse-updates/2012-10/msg00024.html http://lists.opensuse.org/opensuse-updates/2012-09/msg00102.html http://www.debian.org/security/2012/dsa-2534 http://rhn.redhat.com/errata/RHSA-2012-1263.html http://lists.opensuse.org/opensuse-updates/2012-10/msg00013.html http://www.securityfocus.com/bid/55074 http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html http://www.ubuntu.com/usn/USN-1542-1 http://secunia.com/advisories/50635 http://www.mandriva.com/security/advisories?name=MDVSA-2012:139 http://secunia.com/advisories/50718 https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_postgresql2 http://secunia.com/advisories/50946 http://secunia.com/advisories/50859 https://access.redhat.com/errata/RHSA-2012:1263 https://usn.ubuntu.com/1542-1/https://nvd.nist.gov

CVE-2012-3489

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect