CVE-2012-3488
PostgreSQL 8.3-8.3.19, 8.4-8.4.12, 9.0-9.0.8, 9.1-9.1.4 - Authenticated XML External Entity Injection via libxslt
Title source: llmDescription
The libxslt support in contrib/xml2 in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 does not properly restrict access to files and URLs, which allows remote authenticated users to modify data, obtain sensitive information, or trigger outbound traffic to arbitrary external hosts by leveraging (1) stylesheet commands that are permitted by the libxslt security options or (2) an xslt_process feature, related to an XML External Entity (aka XXE) issue.
References (24)
Core 24
Core References
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2012-1263.html
Vendor Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2012-1264.html
Various Sources x_refsource_confirm
http://www.postgresql.org/docs/9.0/static/release-9-0-9.html
Vendor Advisory vendor-advisory
x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2012:139
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/50636
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=849172
Vendor Advisory vendor-advisory
x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-1542-1
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/50718
Various Sources x_refsource_confirm
http://www.postgresql.org/docs/9.1/static/release-9-1-5.html
Various Sources x_refsource_confirm
https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_postgresql2
Various Sources x_refsource_confirm
http://www.postgresql.org/docs/8.4/static/release-8-4-13.html
Various Sources x_refsource_confirm
http://www.postgresql.org/docs/8.3/static/release-8-3-20.html
Vendor Advisory x_refsource_confirm
http://www.postgresql.org/about/news/1407/
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/50635
Vendor Advisory x_refsource_confirm
http://www.postgresql.org/support/security/
Mailing List vendor-advisory
x_refsource_apple
http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/50946
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/55072
Third Party Advisory vendor-advisory
x_refsource_debian
http://www.debian.org/security/2012/dsa-2534
Vendor Advisory x_refsource_confirm
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2012-09/msg00102.html
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2012-10/msg00013.html
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/50859
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2012-10/msg00024.html
Scores
EPSS
0.0020
EPSS Percentile
41.8%
Details
CWE
CWE-264
Status
published
Products (47)
postgresql/postgresql
9.1
postgresql/postgresql
9.1.1
postgresql/postgresql
9.1.2
postgresql/postgresql
9.1.3
postgresql/postgresql
9.1.4
postgresql/postgresql
8.4
postgresql/postgresql
8.4.1
postgresql/postgresql
8.4.2
postgresql/postgresql
8.4.3
postgresql/postgresql
8.4.4
... and 37 more
Published
Oct 03, 2012
Tracked Since
Feb 18, 2026