CVE-2012-3488
Severity CVSS v4.0:
Pending analysis
Type:
CWE-264
Permissions, Privileges, and Access Control
Publication date:
03/10/2012
Last modified:
11/04/2025
Description
The libxslt support in contrib/xml2 in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 does not properly restrict access to files and URLs, which allows remote authenticated users to modify data, obtain sensitive information, or trigger outbound traffic to arbitrary external hosts by leveraging (1) stylesheet commands that are permitted by the libxslt security options or (2) an xslt_process feature, related to an XML External Entity (aka XXE) issue.
Impact
Base Score 2.0
4.90
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:postgresql:postgresql:9.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:postgresql:postgresql:9.1.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:postgresql:postgresql:9.1.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:postgresql:postgresql:9.1.3:*:*:*:*:*:*:* | ||
| cpe:2.3:a:postgresql:postgresql:9.1.4:*:*:*:*:*:*:* | ||
| cpe:2.3:a:postgresql:postgresql:8.4:*:*:*:*:*:*:* | ||
| cpe:2.3:a:postgresql:postgresql:8.4.1:*:*:*:*:*:*:* | ||
| cpe:2.3:a:postgresql:postgresql:8.4.2:*:*:*:*:*:*:* | ||
| cpe:2.3:a:postgresql:postgresql:8.4.3:*:*:*:*:*:*:* | ||
| cpe:2.3:a:postgresql:postgresql:8.4.4:*:*:*:*:*:*:* | ||
| cpe:2.3:a:postgresql:postgresql:8.4.5:*:*:*:*:*:*:* | ||
| cpe:2.3:a:postgresql:postgresql:8.4.6:*:*:*:*:*:*:* | ||
| cpe:2.3:a:postgresql:postgresql:8.4.7:*:*:*:*:*:*:* | ||
| cpe:2.3:a:postgresql:postgresql:8.4.8:*:*:*:*:*:*:* | ||
| cpe:2.3:a:postgresql:postgresql:8.4.9:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
- http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html
- http://lists.opensuse.org/opensuse-updates/2012-09/msg00102.html
- http://lists.opensuse.org/opensuse-updates/2012-10/msg00013.html
- http://lists.opensuse.org/opensuse-updates/2012-10/msg00024.html
- http://rhn.redhat.com/errata/RHSA-2012-1263.html
- http://rhn.redhat.com/errata/RHSA-2012-1264.html
- http://secunia.com/advisories/50635
- http://secunia.com/advisories/50636
- http://secunia.com/advisories/50718
- http://secunia.com/advisories/50859
- http://secunia.com/advisories/50946
- http://www.debian.org/security/2012/dsa-2534
- http://www.mandriva.com/security/advisories?name=MDVSA-2012%3A139
- http://www.postgresql.org/about/news/1407/
- http://www.postgresql.org/docs/8.3/static/release-8-3-20.html
- http://www.postgresql.org/docs/8.4/static/release-8-4-13.html
- http://www.postgresql.org/docs/9.0/static/release-9-0-9.html
- http://www.postgresql.org/docs/9.1/static/release-9-1-5.html
- http://www.postgresql.org/support/security/
- http://www.securityfocus.com/bid/55072
- http://www.ubuntu.com/usn/USN-1542-1
- https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_postgresql2
- https://bugzilla.redhat.com/show_bug.cgi?id=849172
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
- http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html
- http://lists.opensuse.org/opensuse-updates/2012-09/msg00102.html
- http://lists.opensuse.org/opensuse-updates/2012-10/msg00013.html
- http://lists.opensuse.org/opensuse-updates/2012-10/msg00024.html
- http://rhn.redhat.com/errata/RHSA-2012-1263.html
- http://rhn.redhat.com/errata/RHSA-2012-1264.html
- http://secunia.com/advisories/50635
- http://secunia.com/advisories/50636
- http://secunia.com/advisories/50718
- http://secunia.com/advisories/50859
- http://secunia.com/advisories/50946
- http://www.debian.org/security/2012/dsa-2534
- http://www.mandriva.com/security/advisories?name=MDVSA-2012%3A139
- http://www.postgresql.org/about/news/1407/
- http://www.postgresql.org/docs/8.3/static/release-8-3-20.html
- http://www.postgresql.org/docs/8.4/static/release-8-4-13.html
- http://www.postgresql.org/docs/9.0/static/release-9-0-9.html
- http://www.postgresql.org/docs/9.1/static/release-9-1-5.html
- http://www.postgresql.org/support/security/
- http://www.securityfocus.com/bid/55072
- http://www.ubuntu.com/usn/USN-1542-1
- https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_postgresql2
- https://bugzilla.redhat.com/show_bug.cgi?id=849172