Lucene search

[email protected]NVD:CVE-2012-3488

HistoryOct 03, 2012 - 9:55 p.m.

CVE-2012-3488

2012-10-0321:55:00

CWE-264

[email protected]

web.nvd.nist.gov

4.9 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:P/I:P/A:N

6.4 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

54.2%

JSON

The libxslt support in contrib/xml2 in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 does not properly restrict access to files and URLs, which allows remote authenticated users to modify data, obtain sensitive information, or trigger outbound traffic to arbitrary external hosts by leveraging (1) stylesheet commands that are permitted by the libxslt security options or (2) an xslt_process feature, related to an XML External Entity (aka XXE) issue.

Affected configurations

NVD

Node

postgresqlpostgresqlMatch9.1

postgresqlpostgresqlMatch9.1.1

postgresqlpostgresqlMatch9.1.2

postgresqlpostgresqlMatch9.1.3

postgresqlpostgresqlMatch9.1.4

Node

postgresqlpostgresqlMatch8.4

postgresqlpostgresqlMatch8.4.1

postgresqlpostgresqlMatch8.4.2

postgresqlpostgresqlMatch8.4.3

postgresqlpostgresqlMatch8.4.4

postgresqlpostgresqlMatch8.4.5

postgresqlpostgresqlMatch8.4.6

postgresqlpostgresqlMatch8.4.7

postgresqlpostgresqlMatch8.4.8

postgresqlpostgresqlMatch8.4.9

postgresqlpostgresqlMatch8.4.10

postgresqlpostgresqlMatch8.4.11

postgresqlpostgresqlMatch8.4.12

Node

postgresqlpostgresqlMatch8.3

postgresqlpostgresqlMatch8.3.1

postgresqlpostgresqlMatch8.3.2

postgresqlpostgresqlMatch8.3.3

postgresqlpostgresqlMatch8.3.4

postgresqlpostgresqlMatch8.3.5

postgresqlpostgresqlMatch8.3.6

postgresqlpostgresqlMatch8.3.7

postgresqlpostgresqlMatch8.3.8

postgresqlpostgresqlMatch8.3.9

postgresqlpostgresqlMatch8.3.10

postgresqlpostgresqlMatch8.3.11

postgresqlpostgresqlMatch8.3.12

postgresqlpostgresqlMatch8.3.13

postgresqlpostgresqlMatch8.3.14

postgresqlpostgresqlMatch8.3.15

postgresqlpostgresqlMatch8.3.16

postgresqlpostgresqlMatch8.3.17

postgresqlpostgresqlMatch8.3.18

postgresqlpostgresqlMatch8.3.19

Node

postgresqlpostgresqlMatch9.0

postgresqlpostgresqlMatch9.0.1

postgresqlpostgresqlMatch9.0.2

postgresqlpostgresqlMatch9.0.3

postgresqlpostgresqlMatch9.0.4

postgresqlpostgresqlMatch9.0.5

postgresqlpostgresqlMatch9.0.6

postgresqlpostgresqlMatch9.0.7

postgresqlpostgresqlMatch9.0.8

References

kb.juniper.net/InfoCenter/index?page=content&id=JSA10705

lists.apple.com/archives/security-announce/2013/Mar/msg00002.html

lists.opensuse.org/opensuse-updates/2012-09/msg00102.html

lists.opensuse.org/opensuse-updates/2012-10/msg00013.html

lists.opensuse.org/opensuse-updates/2012-10/msg00024.html

rhn.redhat.com/errata/RHSA-2012-1263.html

rhn.redhat.com/errata/RHSA-2012-1264.html

secunia.com/advisories/50635

secunia.com/advisories/50636

secunia.com/advisories/50718

secunia.com/advisories/50859

secunia.com/advisories/50946

www.debian.org/security/2012/dsa-2534

www.mandriva.com/security/advisories?name=MDVSA-2012:139

www.postgresql.org/about/news/1407/

www.postgresql.org/docs/8.3/static/release-8-3-20.html

www.postgresql.org/docs/8.4/static/release-8-4-13.html

www.postgresql.org/docs/9.0/static/release-9-0-9.html

www.postgresql.org/docs/9.1/static/release-9-1-5.html

www.postgresql.org/support/security/

www.securityfocus.com/bid/55072

www.ubuntu.com/usn/USN-1542-1

blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_postgresql2

bugzilla.redhat.com/show_bug.cgi?id=849172

4.9 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:P/I:P/A:N

6.4 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

54.2%

JSON

Related for NVD:CVE-2012-3488

nessus27 openvas35 veracode2 redhat2 oraclelinux2 centos2 cvelist1 seebug1 cve1 postgresql1 amazon2 ubuntucve1 prion1 ubuntu1 osv1 securityvulns4 debian1 fedora4 freebsd1 gentoo1