CVE-2020-13692
published 2020-06-04CVE-2020-13692: PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE.
PriorityP345high7.7CVSS 3.1
AVNACHPRNUINSUCHILAH
EPSS
4.09%
89.5th percentile
PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | libpgjava | < libpgjava 42.2.12-2 (bookworm) | libpgjava 42.2.12-2 (bookworm) |
| fedoraproject | fedora | — | — |
| postgresql | postgresql_jdbc_driver | < 42.2.13 | 42.2.13 |
| quarkus | quarkus | <= 1.5.2 | — |
CVSS provenance
nvdv3.17.7HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
osv7.7HIGH
vendor_debian7.7LOW
vendor_redhat7.7HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
PostgreSQL JDBC Driver vulnerability
vendor_ubuntu·2022-09-06
CVE-2020-13692 PostgreSQL JDBC Driver vulnerability
Title: PostgreSQL JDBC Driver vulnerability
Summary: PostgreSQL JDBC Driver could be made to crash or run programs if it received
specially crafted input.
It was discovered that PostgreSQL JDBC Driver incorrectly handled certain
requests from external entities. A remote attacker could use this vulnerability
to cause a denial of service or possibly execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML
vendor_redhat·2020-06-04·CVSS 7.7
CVE-2020-13692 [HIGH] CWE-611 postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML
postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML
PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE.
A flaw was found in PostgreSQL JDBC in versions prior to 42.2.13. An XML External Entity (XXE) weakness was found in PostgreSQL JDBC. The highest threat from this vulnerability is to data confidentiality and system availability.
Package: quarkus-jdbc-postgresql (Red Hat Fuse 7) - Not affected
Package: quarkus-jdbc-postgresql-deployment (Red Hat Fuse 7) - Not affected
Package: jdbc-postgresql (Red Hat Integration Camel K 1) - Affected
Package: quarkus-jdbc-postgresql (Red Hat Integration Camel K 1) - Not affected
Package: quarkus-jdbc-postgresql-deployment (Red Hat Integration Camel K 1) - Not affected
Package: jdbc-postgresql (Red Hat JBoss Fuse 6) - N
Debian
CVE-2020-13692: libpgjava - PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE.
vendor_debian·2020·CVSS 7.7
CVE-2020-13692 [HIGH] CVE-2020-13692: libpgjava - PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE.
PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE.
Scope: local
bookworm: resolved (fixed in 42.2.12-2)
bullseye: resolved (fixed in 42.2.12-2)
forky: resolved (fixed in 42.2.12-2)
sid: resolved (fixed in 42.2.12-2)
trixie: resolved (fixed in 42.2.12-2)
GHSA
Improper Restriction of XML External Entity Reference
ghsa·2022-02-10
CVE-2020-13692 [HIGH] CWE-611 Improper Restriction of XML External Entity Reference
Improper Restriction of XML External Entity Reference
PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE.
OSV
Improper Restriction of XML External Entity Reference
osv·2022-02-10
CVE-2020-13692 [HIGH] Improper Restriction of XML External Entity Reference
Improper Restriction of XML External Entity Reference
PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE.
OSV
CVE-2020-13692: PostgreSQL JDBC Driver (aka PgJDBC) before 42
osv·2020-06-04·CVSS 7.7
CVE-2020-13692 [HIGH] CVE-2020-13692: PostgreSQL JDBC Driver (aka PgJDBC) before 42
PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2020-13692 postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML [fedora-all]
bugzilla·2020-07-28·CVSS 7.7
CVE-2020-13692 [HIGH] CVE-2020-13692 postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML [fedora-all]
CVE-2020-13692 postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple
Bugzilla
CVE-2020-13692 postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML
bugzilla·2020-07-01·CVSS 7.7
CVE-2020-13692 [HIGH] CVE-2020-13692 postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML
CVE-2020-13692 postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML
PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE.
Reference:
https://jdbc.postgresql.org/documentation/changelog.html#version_42.2.13
Upstream commit:
https://github.com/pgjdbc/pgjdbc/commit/14b62aca4764d496813f55a43d050b017e01eb65
Discussion:
More info from the reporters blog - https://blog.daviddworken.com/posts/pgjdbc-xxe/
---
We disagree with some aspects of this base flaw's scoring and suggest the following corrections
Exploitability Metrics:
Attack Vector Network (AV:N) -
Agree here, we cannot say we control the contents of the database, this could be XML (and DTD injection) derived from unsanitized input
Attack Complexity Low (AC:L) - Changed to Attack Complexity High (AC:H)
We
https://github.com/pgjdbc/pgjdbc/commit/14b62aca4764d496813f55a43d050b017e01eb65https://jdbc.postgresql.org/documentation/changelog.html#version_42.2.13https://lists.apache.org/thread.html/r00bcc6b2da972e0d6332a4ebc7807e17305d8b8e7fb2ae63d2a3cbfb%40%3Ccommits.camel.apache.org%3Ehttps://lists.apache.org/thread.html/r01ae1b3d981cf2e563e9b5b0a6ea54fb3cac8e9a0512ee5269e3420e%40%3Ccommits.camel.apache.org%3Ehttps://lists.apache.org/thread.html/r0478a1aa9ae0dbd79d8f7b38d0d93fa933ac232e2b430b6f31a103c0%40%3Ccommits.camel.apache.org%3Ehttps://lists.apache.org/thread.html/r1aae77706aab7d89b4fe19be468fc3c73e9cc84ff79cc2c3bd07c05a%40%3Ccommits.camel.apache.org%3Ehttps://lists.apache.org/thread.html/r4bdea189c9991aae7a929d28f575ec46e49ed3d68fa5235825f38a4f%40%3Cnotifications.netbeans.apache.org%3Ehttps://lists.apache.org/thread.html/r631f967db6260d6178740a3314a35d9421facd8212e62320275fa78e%40%3Ccommits.camel.apache.org%3Ehttps://lists.apache.org/thread.html/r7f6d019839df17646ffd0046a99146cacf40492a6c92078f65fd32e0%40%3Ccommits.camel.apache.org%3Ehttps://lists.apache.org/thread.html/rb89f92aba44f524d5c270e0c44ca7aec4704691c37fe106cf73ec977%40%3Cnotifications.netbeans.apache.org%3Ehttps://lists.apache.org/thread.html/rfe363bf3a46d440ad57fd05c0e313025c7218364bbdc5fd8622ea7ae%40%3Ccommits.camel.apache.org%3Ehttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCCAPM6FSNOC272DLSNQ6YHXS3OMHGJC/https://security.netapp.com/advisory/ntap-20200619-0005/https://www.debian.org/security/2022/dsa-5196https://github.com/pgjdbc/pgjdbc/commit/14b62aca4764d496813f55a43d050b017e01eb65https://jdbc.postgresql.org/documentation/changelog.html#version_42.2.13https://lists.apache.org/thread.html/r00bcc6b2da972e0d6332a4ebc7807e17305d8b8e7fb2ae63d2a3cbfb%40%3Ccommits.camel.apache.org%3Ehttps://lists.apache.org/thread.html/r01ae1b3d981cf2e563e9b5b0a6ea54fb3cac8e9a0512ee5269e3420e%40%3Ccommits.camel.apache.org%3Ehttps://lists.apache.org/thread.html/r0478a1aa9ae0dbd79d8f7b38d0d93fa933ac232e2b430b6f31a103c0%40%3Ccommits.camel.apache.org%3Ehttps://lists.apache.org/thread.html/r1aae77706aab7d89b4fe19be468fc3c73e9cc84ff79cc2c3bd07c05a%40%3Ccommits.camel.apache.org%3Ehttps://lists.apache.org/thread.html/r4bdea189c9991aae7a929d28f575ec46e49ed3d68fa5235825f38a4f%40%3Cnotifications.netbeans.apache.org%3Ehttps://lists.apache.org/thread.html/r631f967db6260d6178740a3314a35d9421facd8212e62320275fa78e%40%3Ccommits.camel.apache.org%3Ehttps://lists.apache.org/thread.html/r7f6d019839df17646ffd0046a99146cacf40492a6c92078f65fd32e0%40%3Ccommits.camel.apache.org%3Ehttps://lists.apache.org/thread.html/rb89f92aba44f524d5c270e0c44ca7aec4704691c37fe106cf73ec977%40%3Cnotifications.netbeans.apache.org%3Ehttps://lists.apache.org/thread.html/rfe363bf3a46d440ad57fd05c0e313025c7218364bbdc5fd8622ea7ae%40%3Ccommits.camel.apache.org%3Ehttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCCAPM6FSNOC272DLSNQ6YHXS3OMHGJC/https://security.netapp.com/advisory/ntap-20200619-0005/https://www.debian.org/security/2022/dsa-5196
2020-06-04
Published