CVE-2012-3489

MEDIUM

Description

The xml_parse function in the libxml2 support in the core server component in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 allows remote authenticated users to determine the existence of arbitrary files or URLs, and possibly obtain file or URL content that triggers a parsing error, via an XML value that refers to (1) a DTD or (2) an entity, related to an XML External Entity (aka XXE) issue.

References

http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html

http://lists.opensuse.org/opensuse-updates/2012-09/msg00102.html

http://lists.opensuse.org/opensuse-updates/2012-10/msg00013.html

http://lists.opensuse.org/opensuse-updates/2012-10/msg00024.html

http://rhn.redhat.com/errata/RHSA-2012-1263.html

http://secunia.com/advisories/50635

http://secunia.com/advisories/50718

http://secunia.com/advisories/50859

http://secunia.com/advisories/50946

http://www.debian.org/security/2012/dsa-2534

http://www.mandriva.com/security/advisories?name=MDVSA-2012:139

http://www.postgresql.org/about/news/1407/

http://www.postgresql.org/docs/8.3/static/release-8-3-20.html

http://www.postgresql.org/docs/8.4/static/release-8-4-13.html

http://www.postgresql.org/docs/9.0/static/release-9-0-9.html

http://www.postgresql.org/docs/9.1/static/release-9-1-5.html

http://www.postgresql.org/support/security/

http://www.securityfocus.com/bid/55074

http://www.ubuntu.com/usn/USN-1542-1

https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_postgresql2

https://bugzilla.redhat.com/show_bug.cgi?id=849173

Details

Source: MITRE

Published: 2012-10-03

Updated: 2013-10-10

Type: CWE-20

Risk Information

CVSS v2.0

Base Score: 4

Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 8

Severity: MEDIUM