CVE-2012-3489
MEDIUMPostgreSQL 8.3.0-8.3.19, 8.4.0-8.4.12, 9.0.0-9.0.8, 9.1.0-9.1.4 - XXE Injection via xml_parse
Title source: llmDescription
The xml_parse function in the libxml2 support in the core server component in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 allows remote authenticated users to determine the existence of arbitrary files or URLs, and possibly obtain file or URL content that triggers a parsing error, via an XML value that refers to (1) a DTD or (2) an entity, related to an XML External Entity (aka XXE) issue.
References (21)
Core 21
Core References
Third Party Advisory vendor-advisory
x_refsource_redhat
http://rhn.redhat.com/errata/RHSA-2012-1263.html
Broken Link, Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/55074
Release Notes x_refsource_confirm
http://www.postgresql.org/docs/9.0/static/release-9-0-9.html
Broken Link vendor-advisory
x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2012:139
Third Party Advisory vendor-advisory
x_refsource_ubuntu
http://www.ubuntu.com/usn/USN-1542-1
Broken Link third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/50718
Release Notes x_refsource_confirm
http://www.postgresql.org/docs/9.1/static/release-9-1-5.html
Third Party Advisory x_refsource_confirm
https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_postgresql2
Release Notes x_refsource_confirm
http://www.postgresql.org/docs/8.4/static/release-8-4-13.html
Release Notes x_refsource_confirm
http://www.postgresql.org/docs/8.3/static/release-8-3-20.html
Vendor Advisory x_refsource_confirm
http://www.postgresql.org/about/news/1407/
Broken Link third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/50635
Release Notes, Vendor Advisory x_refsource_confirm
http://www.postgresql.org/support/security/
Mailing List vendor-advisory
x_refsource_apple
http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html
Broken Link third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/50946
Issue Tracking, Patch, Release Notes x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=849173
Mailing List vendor-advisory
x_refsource_debian
http://www.debian.org/security/2012/dsa-2534
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2012-09/msg00102.html
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2012-10/msg00013.html
Broken Link third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/50859
Mailing List vendor-advisory
x_refsource_suse
http://lists.opensuse.org/opensuse-updates/2012-10/msg00024.html
Scores
CVSS v3
6.5
EPSS
0.0096
EPSS Percentile
76.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-611
Status
published
Products (19)
apple/mac_os_x_server
10.6.8
apple/mac_os_x_server
10.7.0 - 10.7.5
canonical/ubuntu_linux
8.04
canonical/ubuntu_linux
10.04
canonical/ubuntu_linux
11.04
canonical/ubuntu_linux
11.10
canonical/ubuntu_linux
12.04
debian/debian_linux
6.0
opensuse/opensuse
11.4
opensuse/opensuse
12.1
... and 9 more
Published
Oct 03, 2012
Tracked Since
Feb 18, 2026