6.5

CVE-2012-3489

The xml_parse function in the libxml2 support in the core server component in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 allows remote authenticated users to determine the existence of arbitrary files or URLs, and possibly obtain file or URL content that triggers a parsing error, via an XML value that refers to (1) a DTD or (2) an entity, related to an XML External Entity (aka XXE) issue.

Data is provided by the National Vulnerability Database (NVD)
PostgresqlPostgresql Version >= 8.3.0 < 8.3.20
PostgresqlPostgresql Version >= 8.4.0 < 8.4.13
PostgresqlPostgresql Version >= 9.0.0 < 9.0.9
PostgresqlPostgresql Version >= 9.1.0 < 9.1.5
OpensuseOpensuse Version11.4
OpensuseOpensuse Version12.1
OpensuseOpensuse Version12.2
ApplemacOS X Server Version >= 10.7.0 <= 10.7.5
ApplemacOS X Server Version10.6.8
CanonicalUbuntu Linux Version8.04 SwEdition-
CanonicalUbuntu Linux Version10.04 SwEdition-
CanonicalUbuntu Linux Version11.04
CanonicalUbuntu Linux Version11.10
CanonicalUbuntu Linux Version12.04 SwEdition-
DebianDebian Linux Version6.0
RedhatEnterprise Linux Eus Version6.3
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 1.04% 0.767
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 6.5 2.8 3.6
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvd@nist.gov 4 8 2.9
AV:N/AC:L/Au:S/C:P/I:N/A:N
CWE-611 Improper Restriction of XML External Entity Reference

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

http://www.postgresql.org/support/security/
Vendor Advisory
Release Notes
http://www.securityfocus.com/bid/55074
Third Party Advisory
Broken Link
VDB Entry
https://bugzilla.redhat.com/show_bug.cgi?id=849173
Patch
Release Notes
Issue Tracking