CVE-2012-3489

CWE-611 — XML External Entity (XXE)CWE-20 — Improper Input Validation7 documents6 sources

Severity

6.5MEDIUM

EPSS

1.0%

top 23.57%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Postgresql Postgresql Apple MAC OS X Server Canonical Ubuntu Linux +6 more

Timeline

PublishedOct 3

Latest updateMay 17

Description

The xml_parse function in the libxml2 support in the core server component in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 allows remote authenticated users to determine the existence of arbitrary files or URLs, and possibly obtain file or URL content that triggers a parsing error, via an XML value that refers to (1) a DTD or (2) an entity, related to an XML External Entity (aka XXE) issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages6 packages

▶NVDpostgresql/postgresql8.3.0 — 8.3.20+3

▶NVDapple/mac_os_x_server10.7.0 — 10.7.5+1

▶NVDredhat/enterprise_linux_server5.0, 6.0+1

▶NVDopensuse/opensuse11.4, 12.1, 12.2+2

▶NVDredhat/enterprise_linux_desktop5.0, 6.0+1

Also affects: Debian Linux 6.0, Ubuntu Linux 10.04, 11.04, 11.10, 12.04, 8.04, Enterprise Linux 6.3

Patches

Patch: bugzilla.redhat.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-fpq4-mcf9-c5w9: The xml_parse function in the libxml2 support in the core server component in PostgreSQL 8↗2022-05-17

▶

CVEList

CVE-2012-3489: The xml_parse function in the libxml2 support in the core server component in PostgreSQL 8↗2012-10-03

▶

📋Vendor Advisories

Ubuntu

PostgreSQL vulnerabilities↗2012-08-21

▶

Red Hat

postgresql: File disclosure through XXE in xmlparse by DTD validation↗2012-08-17

▶

💬Community

Bugzilla

CVE-2012-3489 postgresql: File disclosure through XXE in xmlparse by DTD validation↗2012-08-17

▶

Bugzilla

CVE-2012-3488 CVE-2012-3489 postgresql various flaws [fedora-all]↗2012-08-17

▶