PostgreSQL 8.3 < 8.3.20 / 8.4 < 8.4.13 / 9.0 < 9.0.9 / 9.1 < 9.1.5 Multiple Vulnerabilities

This script is Copyright (C) 2012-2014 Tenable Network Security, Inc.


Synopsis :

The remote database server is affected by multiple vulnerabilities.

Description :

The version of PostgreSQL installed on the remote host is 8.3.x prior
to 8.3.20, 8.4.x prior to 8.4.13, 9.0.x prior to 9.0.9, or 9.1.x prior
to 9.1.5. It therefore is potentially affected by multiple
vulnerabilities :

- A flaw in contrib/xml2's xslt_process can be used to
read and write arbitrary files. (CVE-2012-3488)

- An xml_parse() DTD validation flaw can be used to read
arbitrary files. (CVE-2012-3489)

See also :

http://www.postgresql.org/about/news/1407/
http://www.postgresql.org/docs/8.3/static/release-8-3-20.html
http://www.postgresql.org/docs/8.4/static/release-8-4-13.html
http://www.postgresql.org/docs/9.0/static/release-9-0-9.html
http://www.postgresql.org/docs/9.1/static/release-9-1-5.html

Solution :

Upgrade to PostgreSQL 8.3.20 / 8.4.13 / 9.0.9 / 9.1.5 or later.

Risk factor :

Medium / CVSS Base Score : 5.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N)
CVSS Temporal Score : 4.3
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: Databases

Nessus Plugin ID: 63354 ()

Bugtraq ID: 55072
55074

CVE ID: CVE-2012-3488
CVE-2012-3489