CVE-2012-3488

Published: Oct 3, 2012Modified: Apr 29, 2026

4.9

Vector

AV:N/AC:M/Au:S/C:P/I:P/A:N

Exploitability: 6.8 / Impact: 4.9

Source: NVD

Description

The libxslt support in contrib/xml2 in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 does not properly restrict access to files and URLs, which allows remote authenticated users to modify data, obtain sensitive information, or trigger outbound traffic to arbitrary external hosts by leveraging (1) stylesheet commands that are permitted by the libxslt security options or (2) an xslt_process feature, related to an XML External Entity (aka XXE) issue.

Affected (47)

Products: Postgresql: Postgresql

1 product

Configuration A

5 vulnerable

Vulnerable Software	Affected Versions
Postgresql Postgresql	Version 9.1.1
Postgresql Postgresql	Version 9.1.2
Postgresql Postgresql	Version 9.1.3
Postgresql Postgresql	Version 9.1.4
Postgresql Postgresql	Version 9.1

Configuration B

13 vulnerable

Vulnerable Software	Affected Versions
Postgresql Postgresql	Version 8.4.10
Postgresql Postgresql	Version 8.4.11
Postgresql Postgresql	Version 8.4.12
Postgresql Postgresql	Version 8.4.1
Postgresql Postgresql	Version 8.4.2
Postgresql Postgresql	Version 8.4.3
Postgresql Postgresql	Version 8.4.4
Postgresql Postgresql	Version 8.4.5
Postgresql Postgresql	Version 8.4.6
Postgresql Postgresql	Version 8.4.7
Postgresql Postgresql	Version 8.4.8
Postgresql Postgresql	Version 8.4.9
Postgresql Postgresql	Version 8.4

Configuration C

20 vulnerable

Vulnerable Software	Affected Versions
Postgresql Postgresql	Version 8.3.10
Postgresql Postgresql	Version 8.3.11
Postgresql Postgresql	Version 8.3.12
Postgresql Postgresql	Version 8.3.13
Postgresql Postgresql	Version 8.3.14
Postgresql Postgresql	Version 8.3.15
Postgresql Postgresql	Version 8.3.16
Postgresql Postgresql	Version 8.3.17
Postgresql Postgresql	Version 8.3.18
Postgresql Postgresql	Version 8.3.19
Postgresql Postgresql	Version 8.3.1
Postgresql Postgresql	Version 8.3.2
Postgresql Postgresql	Version 8.3.3
Postgresql Postgresql	Version 8.3.4
Postgresql Postgresql	Version 8.3.5
Postgresql Postgresql	Version 8.3.6
Postgresql Postgresql	Version 8.3.7
Postgresql Postgresql	Version 8.3.8
Postgresql Postgresql	Version 8.3.9
Postgresql Postgresql	Version 8.3

Configuration D

9 vulnerable

Vulnerable Software	Affected Versions
Postgresql Postgresql	Version 9.0.1
Postgresql Postgresql	Version 9.0.2
Postgresql Postgresql	Version 9.0.3
Postgresql Postgresql	Version 9.0.4
Postgresql Postgresql	Version 9.0.5
Postgresql Postgresql	Version 9.0.6
Postgresql Postgresql	Version 9.0.7
Postgresql Postgresql	Version 9.0.8
Postgresql Postgresql	Version 9.0

Related CWEs

References (48)

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705

Source: secalert@redhat.com

http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html

Source: secalert@redhat.com

http://lists.opensuse.org/opensuse-updates/2012-09/msg00102.html

Source: secalert@redhat.com

http://lists.opensuse.org/opensuse-updates/2012-10/msg00013.html

Source: secalert@redhat.com

http://lists.opensuse.org/opensuse-updates/2012-10/msg00024.html

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2012-1263.html

Source: secalert@redhat.com

http://rhn.redhat.com/errata/RHSA-2012-1264.html

Source: secalert@redhat.com

http://secunia.com/advisories/50635

Source: secalert@redhat.com

http://secunia.com/advisories/50636

Source: secalert@redhat.com

http://secunia.com/advisories/50718

Source: secalert@redhat.com

http://secunia.com/advisories/50859

Source: secalert@redhat.com

http://secunia.com/advisories/50946

Source: secalert@redhat.com

http://www.debian.org/security/2012/dsa-2534

Source: secalert@redhat.com

http://www.mandriva.com/security/advisories?name=MDVSA-2012:139

Source: secalert@redhat.com

http://www.postgresql.org/about/news/1407/

Source: secalert@redhat.com

Vendor Advisory

http://www.postgresql.org/docs/8.3/static/release-8-3-20.html

Source: secalert@redhat.com

http://www.postgresql.org/docs/8.4/static/release-8-4-13.html

Source: secalert@redhat.com

http://www.postgresql.org/docs/9.0/static/release-9-0-9.html

Source: secalert@redhat.com

http://www.postgresql.org/docs/9.1/static/release-9-1-5.html

Source: secalert@redhat.com

http://www.postgresql.org/support/security/

Source: secalert@redhat.com

Vendor Advisory

http://www.securityfocus.com/bid/55072

Source: secalert@redhat.com

http://www.ubuntu.com/usn/USN-1542-1

Source: secalert@redhat.com

https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_postgresql2

Source: secalert@redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=849172

Source: secalert@redhat.com

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.opensuse.org/opensuse-updates/2012-09/msg00102.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.opensuse.org/opensuse-updates/2012-10/msg00013.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.opensuse.org/opensuse-updates/2012-10/msg00024.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://rhn.redhat.com/errata/RHSA-2012-1263.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://rhn.redhat.com/errata/RHSA-2012-1264.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://secunia.com/advisories/50635

Source: af854a3a-2127-422b-91ae-364da2661108

http://secunia.com/advisories/50636

Source: af854a3a-2127-422b-91ae-364da2661108

http://secunia.com/advisories/50718

Source: af854a3a-2127-422b-91ae-364da2661108

http://secunia.com/advisories/50859

Source: af854a3a-2127-422b-91ae-364da2661108

http://secunia.com/advisories/50946

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.debian.org/security/2012/dsa-2534

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.mandriva.com/security/advisories?name=MDVSA-2012:139

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.postgresql.org/about/news/1407/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://www.postgresql.org/docs/8.3/static/release-8-3-20.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.postgresql.org/docs/8.4/static/release-8-4-13.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.postgresql.org/docs/9.0/static/release-9-0-9.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.postgresql.org/docs/9.1/static/release-9-1-5.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.postgresql.org/support/security/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://www.securityfocus.com/bid/55072

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.ubuntu.com/usn/USN-1542-1

Source: af854a3a-2127-422b-91ae-364da2661108

https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_postgresql2

Source: af854a3a-2127-422b-91ae-364da2661108

https://bugzilla.redhat.com/show_bug.cgi?id=849172

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.