CVE-2012-3488
First published: Fri Aug 17 2012(Updated: )
An XML External Entities (XXE) attack was found in the way xml2 contrib module, providing XPath querying and XSLT functionality, of PostgreSQL, an advanced Object-Relational database management system (DBMS), performed processing of XSLT documents. When the xml2 contrib module was enabled an unprivileged database user could issue a specially-crafted SQL query to the PostgreSQL server that, when processed could lead to attacker's ability to read or write (alter) arbitrary system files, accessible with the privileges of the user running the PostgreSQL server. References: [1] <a href="http://www.postgresql.org/docs/8.3/static/release-8-3-20.html">http://www.postgresql.org/docs/8.3/static/release-8-3-20.html</a> [2] <a href="http://www.postgresql.org/docs/9.0/static/release-9-0-9.html">http://www.postgresql.org/docs/9.0/static/release-9-0-9.html</a> [3] <a href="http://www.postgresql.org/docs/9.1/static/release-9-1-5.html">http://www.postgresql.org/docs/9.1/static/release-9-1-5.html</a>
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/postgresql | <9.1.5 | 9.1.5 |
| redhat/postgresql | <9.0.9 | 9.0.9 |
| redhat/postgresql | <8.4.13 | 8.4.13 |
| redhat/postgresql | <8.3.20 | 8.3.20 |
| PostgreSQL PostgreSQL | =9.1 | |
| PostgreSQL PostgreSQL | =9.1.1 | |
| PostgreSQL PostgreSQL | =9.1.2 | |
| PostgreSQL PostgreSQL | =9.1.3 | |
| PostgreSQL PostgreSQL | =9.1.4 | |
| PostgreSQL PostgreSQL | =8.4 | |
| PostgreSQL PostgreSQL | =8.4.1 | |
| PostgreSQL PostgreSQL | =8.4.2 | |
| PostgreSQL PostgreSQL | =8.4.3 | |
| PostgreSQL PostgreSQL | =8.4.4 | |
| PostgreSQL PostgreSQL | =8.4.5 | |
| PostgreSQL PostgreSQL | =8.4.6 | |
| PostgreSQL PostgreSQL | =8.4.7 | |
| PostgreSQL PostgreSQL | =8.4.8 | |
| PostgreSQL PostgreSQL | =8.4.9 | |
| PostgreSQL PostgreSQL | =8.4.10 | |
| PostgreSQL PostgreSQL | =8.4.11 | |
| PostgreSQL PostgreSQL | =8.4.12 | |
| PostgreSQL PostgreSQL | =8.3 | |
| PostgreSQL PostgreSQL | =8.3.1 | |
| PostgreSQL PostgreSQL | =8.3.2 | |
| PostgreSQL PostgreSQL | =8.3.3 | |
| PostgreSQL PostgreSQL | =8.3.4 | |
| PostgreSQL PostgreSQL | =8.3.5 | |
| PostgreSQL PostgreSQL | =8.3.6 | |
| PostgreSQL PostgreSQL | =8.3.7 | |
| PostgreSQL PostgreSQL | =8.3.8 | |
| PostgreSQL PostgreSQL | =8.3.9 | |
| PostgreSQL PostgreSQL | =8.3.10 | |
| PostgreSQL PostgreSQL | =8.3.11 | |
| PostgreSQL PostgreSQL | =8.3.12 | |
| PostgreSQL PostgreSQL | =8.3.13 | |
| PostgreSQL PostgreSQL | =8.3.14 | |
| PostgreSQL PostgreSQL | =8.3.15 | |
| PostgreSQL PostgreSQL | =8.3.16 | |
| PostgreSQL PostgreSQL | =8.3.17 | |
| PostgreSQL PostgreSQL | =8.3.18 | |
| PostgreSQL PostgreSQL | =8.3.19 | |
| PostgreSQL PostgreSQL | =9.0 | |
| PostgreSQL PostgreSQL | =9.0.1 | |
| PostgreSQL PostgreSQL | =9.0.2 | |
| PostgreSQL PostgreSQL | =9.0.3 | |
| PostgreSQL PostgreSQL | =9.0.4 | |
| PostgreSQL PostgreSQL | =9.0.5 | |
| PostgreSQL PostgreSQL | =9.0.6 | |
| PostgreSQL PostgreSQL | =9.0.7 | |
| PostgreSQL PostgreSQL | =9.0.8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.postgresql.org/docs/8.3/static/release-8-3-20.html
- http://www.postgresql.org/docs/9.0/static/release-9-0-9.html
- http://www.postgresql.org/docs/9.1/static/release-9-1-5.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=849174
- http://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=27ac667cfd94f7f8ce41efb93962e9deb818a47f
- https://rhn.redhat.com/errata/RHSA-2012-1264.html
- https://rhn.redhat.com/errata/RHSA-2012-1263.html
- https://bugzilla.redhat.com/show_bug.cgi?id=849172
- http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
- http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html
- http://lists.opensuse.org/opensuse-updates/2012-09/msg00102.html
- http://lists.opensuse.org/opensuse-updates/2012-10/msg00013.html
- http://lists.opensuse.org/opensuse-updates/2012-10/msg00024.html
- http://rhn.redhat.com/errata/RHSA-2012-1263.html
- http://rhn.redhat.com/errata/RHSA-2012-1264.html
- http://secunia.com/advisories/50635
- http://secunia.com/advisories/50636
- http://secunia.com/advisories/50718
- http://secunia.com/advisories/50859
- http://secunia.com/advisories/50946
- http://www.debian.org/security/2012/dsa-2534
- http://www.mandriva.com/security/advisories?name=MDVSA-2012:139
- http://www.postgresql.org/about/news/1407/
- http://www.postgresql.org/docs/8.4/static/release-8-4-13.html
- http://www.postgresql.org/support/security/
- http://www.securityfocus.com/bid/55072
- http://www.ubuntu.com/usn/USN-1542-1
- https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_postgresql2
- collector/redhat-bugzilla
- alias/CVE-2012-3488
- agent/author
- agent/severity
- agent/weakness
- agent/references
- agent/type
- agent/event
- agent/description
- agent/first-publish-date
- agent/last-modified-date
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/postgresql
- canonical/postgresql postgresql
- version/postgresql postgresql/9.1
- version/postgresql postgresql/9.1.1
- version/postgresql postgresql/9.1.2
- version/postgresql postgresql/9.1.3
- version/postgresql postgresql/9.1.4
- version/postgresql postgresql/8.4
- version/postgresql postgresql/8.4.1
- version/postgresql postgresql/8.4.2
- version/postgresql postgresql/8.4.3
- version/postgresql postgresql/8.4.4
- version/postgresql postgresql/8.4.5
- version/postgresql postgresql/8.4.6
- version/postgresql postgresql/8.4.7
- version/postgresql postgresql/8.4.8
- version/postgresql postgresql/8.4.9
- version/postgresql postgresql/8.4.10
- version/postgresql postgresql/8.4.11
- version/postgresql postgresql/8.4.12
- version/postgresql postgresql/8.3
- version/postgresql postgresql/8.3.1
- version/postgresql postgresql/8.3.2
- version/postgresql postgresql/8.3.3
- version/postgresql postgresql/8.3.4
- version/postgresql postgresql/8.3.5
- version/postgresql postgresql/8.3.6
- version/postgresql postgresql/8.3.7
- version/postgresql postgresql/8.3.8
- version/postgresql postgresql/8.3.9
- version/postgresql postgresql/8.3.10
- version/postgresql postgresql/8.3.11
- version/postgresql postgresql/8.3.12
- version/postgresql postgresql/8.3.13
- version/postgresql postgresql/8.3.14
- version/postgresql postgresql/8.3.15
- version/postgresql postgresql/8.3.16
- version/postgresql postgresql/8.3.17
- version/postgresql postgresql/8.3.18
- version/postgresql postgresql/8.3.19
- version/postgresql postgresql/9.0
- version/postgresql postgresql/9.0.1
- version/postgresql postgresql/9.0.2
- version/postgresql postgresql/9.0.3
- version/postgresql postgresql/9.0.4
- version/postgresql postgresql/9.0.5
- version/postgresql postgresql/9.0.6
- version/postgresql postgresql/9.0.7
- version/postgresql postgresql/9.0.8