CVE-2012-3489

Sažetak

The xml_parse function in the libxml2 support in the core server component in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 allows remote authenticated users to determine the existence of arbitrary files or URLs, and possibly obtain file or URL content that triggers a parsing error, via an XML value that refers to (1) a DTD or (2) an entity, related to an XML External Entity (aka XXE) issue.

Reference

http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html
http://lists.opensuse.org/opensuse-updates/2012-09/msg00102.html
http://lists.opensuse.org/opensuse-updates/2012-10/msg00013.html
http://lists.opensuse.org/opensuse-updates/2012-10/msg00024.html
http://rhn.redhat.com/errata/RHSA-2012-1263.html
http://secunia.com/advisories/50635
http://secunia.com/advisories/50718
http://secunia.com/advisories/50859
http://secunia.com/advisories/50946
http://www.debian.org/security/2012/dsa-2534
http://www.mandriva.com/security/advisories?name=MDVSA-2012:139
http://www.postgresql.org/about/news/1407/
http://www.postgresql.org/docs/8.3/static/release-8-3-20.html
http://www.postgresql.org/docs/8.4/static/release-8-4-13.html
http://www.postgresql.org/docs/9.0/static/release-9-0-9.html
http://www.postgresql.org/docs/9.1/static/release-9-1-5.html
http://www.postgresql.org/support/security/
http://www.securityfocus.com/bid/55074
http://www.ubuntu.com/usn/USN-1542-1
https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_postgresql2
https://bugzilla.redhat.com/show_bug.cgi?id=849173

CVSS

Base:	4.0
Impact:	2.9
Exploitability:	8.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	SINGLE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	NONE	NONE

CVSS vektor

AV:N/AC:L/Au:S/C:P/I:N/A:N

Zadnje važnije ažuriranje

15-02-2024 - 03:22

Objavljeno

03-10-2012 - 21:55