Lucene search

[email protected]NVD:CVE-2012-3489

HistoryOct 03, 2012 - 9:55 p.m.

CVE-2012-3489

2012-10-0321:55:00

CWE-611

[email protected]

web.nvd.nist.gov

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.2

Confidence

High

EPSS

0.002

Percentile

60.8%

JSON

The xml_parse function in the libxml2 support in the core server component in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 allows remote authenticated users to determine the existence of arbitrary files or URLs, and possibly obtain file or URL content that triggers a parsing error, via an XML value that refers to (1) a DTD or (2) an entity, related to an XML External Entity (aka XXE) issue.

Affected configurations

Nvd

Node

postgresqlpostgresqlRange8.3.0–8.3.20

postgresqlpostgresqlRange8.4.0–8.4.13

postgresqlpostgresqlRange9.0.0–9.0.9

postgresqlpostgresqlRange9.1.0–9.1.5

Node

opensuseopensuseMatch11.4

opensuseopensuseMatch12.1

opensuseopensuseMatch12.2

Node

applemac_os_x_serverRange10.7.0–10.7.5

applemac_os_x_serverMatch10.6.8

Node

canonicalubuntu_linuxMatch8.04-

canonicalubuntu_linuxMatch10.04-

canonicalubuntu_linuxMatch11.04

canonicalubuntu_linuxMatch11.10

canonicalubuntu_linuxMatch12.04-

Node

debiandebian_linuxMatch6.0

Node

redhatenterprise_linux_desktopMatch5.0

redhatenterprise_linux_desktopMatch6.0

redhatenterprise_linux_eusMatch6.3

redhatenterprise_linux_serverMatch5.0

redhatenterprise_linux_serverMatch6.0

redhatenterprise_linux_workstationMatch5.0

redhatenterprise_linux_workstationMatch6.0

References

lists.apple.com/archives/security-announce/2013/Mar/msg00002.html

lists.opensuse.org/opensuse-updates/2012-09/msg00102.html

lists.opensuse.org/opensuse-updates/2012-10/msg00013.html

lists.opensuse.org/opensuse-updates/2012-10/msg00024.html

rhn.redhat.com/errata/RHSA-2012-1263.html

secunia.com/advisories/50635

secunia.com/advisories/50718

secunia.com/advisories/50859

secunia.com/advisories/50946

www.debian.org/security/2012/dsa-2534

www.mandriva.com/security/advisories?name=MDVSA-2012:139

www.postgresql.org/about/news/1407/

www.postgresql.org/docs/8.3/static/release-8-3-20.html

www.postgresql.org/docs/8.4/static/release-8-4-13.html

www.postgresql.org/docs/9.0/static/release-9-0-9.html

www.postgresql.org/docs/9.1/static/release-9-1-5.html

www.postgresql.org/support/security/

www.securityfocus.com/bid/55074

www.ubuntu.com/usn/USN-1542-1

blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_postgresql2

bugzilla.redhat.com/show_bug.cgi?id=849173

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

6.2

Confidence

High

EPSS

0.002

Percentile

60.8%

JSON

Related for NVD:CVE-2012-3489

seebug1 prion1 cvelist1 ubuntucve1 cve1 postgresql1 centos1 veracode1 openvas29 nessus22 debian1 oraclelinux1 redhat1 osv1 securityvulns4 ubuntu1 amazon1 fedora4 freebsd1 gentoo1