CVE-2012-3488

2012-08-1700:00:00

ubuntu.com

4.9 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:P/I:P/A:N

0.002 Low

EPSS

Percentile

54.2%

JSON

The libxslt support in contrib/xml2 in PostgreSQL 8.3 before 8.3.20, 8.4
before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 does not properly
restrict access to files and URLs, which allows remote authenticated users
to modify data, obtain sensitive information, or trigger outbound traffic
to arbitrary external hosts by leveraging (1) stylesheet commands that are
permitted by the libxslt security options or (2) an xslt_process feature,
related to an XML External Entity (aka XXE) issue.

OSVersionArchitecturePackageVersionFilename
ubuntu8.04noarchpostgresql-8.3< 8.3.20-0ubuntu8.04UNKNOWN
ubuntu10.04noarchpostgresql-8.4< 8.4.13-0ubuntu10.04UNKNOWN
ubuntu11.04noarchpostgresql-8.4< 8.4.13-0ubuntu11.04UNKNOWN
ubuntu12.04noarchpostgresql-8.4< 8.4.22-0ubuntu0.12.04UNKNOWN
ubuntu11.10noarchpostgresql-9.1< 9.1.5-0ubuntu11.10UNKNOWN
ubuntu12.04noarchpostgresql-9.1< 9.1.5-0ubuntu12.04UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	8.04	noarch	postgresql-8.3	< 8.3.20-0ubuntu8.04	UNKNOWN
ubuntu	10.04	noarch	postgresql-8.4	< 8.4.13-0ubuntu10.04	UNKNOWN
ubuntu	11.04	noarch	postgresql-8.4	< 8.4.13-0ubuntu11.04	UNKNOWN
ubuntu	12.04	noarch	postgresql-8.4	< 8.4.22-0ubuntu0.12.04	UNKNOWN
ubuntu	11.10	noarch	postgresql-9.1	< 9.1.5-0ubuntu11.10	UNKNOWN
ubuntu	12.04	noarch	postgresql-9.1	< 9.1.5-0ubuntu12.04	UNKNOWN