{"id": "RHSA-2020:3284", "type": "redhat", "bulletinFamily": "unix", "title": "(RHSA-2020:3284) Important: postgresql-jdbc security update", "description": "PostgreSQL is an advanced object-relational database management system. The postgresql-jdbc package includes the .jar files needed for Java programs to access a PostgreSQL database.\n\nSecurity Fix(es):\n\n* postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML (CVE-2020-13692)\n\nThis update introduces a backwards incompatible change required to resolve this issue. Refer to the Red Hat Knowledgebase article 5266441 linked to in the References section for information on how to re-enable the old insecure behavior.\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "published": "2020-08-03T20:33:30", "modified": "2020-08-03T20:46:20", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "href": "https://access.redhat.com/errata/RHSA-2020:3284", "reporter": "RedHat", "references": [], "cvelist": ["CVE-2020-13692"], "lastseen": "2020-08-03T18:03:42", "viewCount": 20, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-13692"]}, {"type": "redhat", "idList": ["RHSA-2021:0110", "RHSA-2020:3283", "RHSA-2020:3678", "RHSA-2020:3286", "RHSA-2020:3675", "RHSA-2020:3248", "RHSA-2020:3285", "RHSA-2020:3005", "RHSA-2020:3176", "RHSA-2020:3209"]}, {"type": "nessus", "idList": ["CENTOS_RHSA-2020-3284.NASL", "SL_20200803_POSTGRESQL_JDBC_ON_SL7_X.NASL", "ORACLELINUX_ELSA-2020-3176.NASL", "AL2_ALAS-2020-1482.NASL", "REDHAT-RHSA-2020-3286.NASL", "ORACLELINUX_ELSA-2020-3285.NASL", "FEDORA_2020-5A31CCFE66.NASL", "REDHAT-RHSA-2020-3176.NASL", "REDHAT-RHSA-2020-3283.NASL", "REDHAT-RHSA-2020-3284.NASL"]}, {"type": "amazon", "idList": ["ALAS2-2020-1482"]}, {"type": "centos", "idList": ["CESA-2020:3284", "CESA-2020:3285"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-3176", "ELSA-2020-3284", "ELSA-2020-3285"]}, {"type": "fedora", "idList": ["FEDORA:1620B30A0F0E"]}], "modified": "2020-08-03T18:03:42", "rev": 2}, "score": {"value": 4.3, "vector": "NONE", "modified": "2020-08-03T18:03:42", "rev": 2}, "vulnersScore": 4.3}, "affectedPackage": [{"OS": "RedHat", "OSVersion": "6", "arch": "src", "packageName": "postgresql-jdbc", "packageVersion": "8.4.704-4.el6_10", "packageFilename": "postgresql-jdbc-8.4.704-4.el6_10.src.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "arch": "noarch", "packageName": "postgresql-jdbc", "packageVersion": "8.4.704-4.el6_10", "packageFilename": "postgresql-jdbc-8.4.704-4.el6_10.noarch.rpm", "operator": "lt"}]}

{"cve": [{"lastseen": "2020-12-09T22:03:06", "description": "PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE.", "edition": 12, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "baseScore": 7.7, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.5}, "published": "2020-06-04T16:15:00", "title": "CVE-2020-13692", "type": "cve", "cwe": ["CWE-611"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-13692"], "modified": "2020-08-07T03:15:00", "cpe": [], "id": "CVE-2020-13692", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-13692", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": []}], "redhat": [{"lastseen": "2021-01-13T18:27:08", "bulletinFamily": "unix", "cvelist": ["CVE-2020-13692"], "description": "This release of Red Hat Integration - Camel K - Tech-Preview 2 serves as a replacement for tech-preview 1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML (CVE-2020-13692)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2021-01-13T22:58:14", "published": "2021-01-13T22:57:19", "id": "RHSA-2021:0110", "href": "https://access.redhat.com/errata/RHSA-2021:0110", "type": "redhat", "title": "(RHSA-2021:0110) Important: Red Hat Integration Tech-Preview 2 Camel K security update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-08-04T16:04:43", "bulletinFamily": "unix", "cvelist": ["CVE-2020-13692"], "description": "PostgreSQL is an advanced object-relational database management system. The postgresql-jdbc package includes the .jar files needed for Java programs to access a PostgreSQL database.\n\nSecurity Fix(es):\n\n* postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML (CVE-2020-13692)\n\nThis update introduces a backwards incompatible change required to resolve this issue. Refer to the Red Hat Knowledgebase article 5266441 linked to in the References section for information on how to re-enable the old insecure behavior.\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2020-08-04T18:03:15", "published": "2020-07-28T16:19:54", "id": "RHSA-2020:3176", "href": "https://access.redhat.com/errata/RHSA-2020:3176", "type": "redhat", "title": "(RHSA-2020:3176) Important: postgresql-jdbc security update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-20T22:03:09", "bulletinFamily": "unix", "cvelist": ["CVE-2020-13692"], "description": "PostgreSQL is an advanced object-relational database management system. The Debezium PostgreSQL connector includes JDBC driver to access a PostgreSQL database.\n\nSecurity Fix(es):\n\n* postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML (CVE-2020-13692)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2020-07-21T00:46:34", "published": "2020-07-21T00:44:11", "id": "RHSA-2020:3005", "href": "https://access.redhat.com/errata/RHSA-2020:3005", "type": "redhat", "title": "(RHSA-2020:3005) Important: Red Hat Integration Debezium 1.1.3 security update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-08-03T18:05:09", "bulletinFamily": "unix", "cvelist": ["CVE-2020-13692"], "description": "PostgreSQL is an advanced object-relational database management system. The postgresql-jdbc package includes the .jar files needed for Java programs to access a PostgreSQL database.\n\nSecurity Fix(es):\n\n* postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML (CVE-2020-13692)\n\nThis update introduces a backwards incompatible change required to resolve this issue. Refer to the Red Hat Knowledgebase article 5266441 linked to in the References section for information on how to re-enable the old insecure behavior.\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2020-08-03T20:44:10", "published": "2020-08-03T20:34:26", "id": "RHSA-2020:3285", "href": "https://access.redhat.com/errata/RHSA-2020:3285", "type": "redhat", "title": "(RHSA-2020:3285) Important: postgresql-jdbc security update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-08-03T18:05:09", "bulletinFamily": "unix", "cvelist": ["CVE-2020-13692"], "description": "PostgreSQL is an advanced object-relational database management system. The postgresql-jdbc package includes the .jar files needed for Java programs to access a PostgreSQL database.\n\nSecurity Fix(es):\n\n* postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML (CVE-2020-13692)\n\nThis update introduces a backwards incompatible change required to resolve this issue. Refer to the Red Hat Knowledgebase article 5266441 linked to in the References section for information on how to re-enable the old insecure behavior.\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2020-08-03T20:01:41", "published": "2020-08-03T19:56:51", "id": "RHSA-2020:3283", "href": "https://access.redhat.com/errata/RHSA-2020:3283", "type": "redhat", "title": "(RHSA-2020:3283) Important: postgresql-jdbc security update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-08-03T18:04:38", "bulletinFamily": "unix", "cvelist": ["CVE-2020-13692"], "description": "PostgreSQL is an advanced object-relational database management system. The postgresql-jdbc package includes the .jar files needed for Java programs to access a PostgreSQL database.\n\nSecurity Fix(es):\n\n* postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML (CVE-2020-13692)\n\nThis update introduces a backwards incompatible change required to resolve this issue. Refer to the Red Hat Knowledgebase article 5266441 linked to in the References section for information on how to re-enable the old insecure behavior.\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2020-08-03T20:44:09", "published": "2020-08-03T20:37:37", "id": "RHSA-2020:3286", "href": "https://access.redhat.com/errata/RHSA-2020:3286", "type": "redhat", "title": "(RHSA-2020:3286) Important: postgresql-jdbc security update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-30T14:06:14", "bulletinFamily": "unix", "cvelist": ["CVE-2020-13692", "CVE-2020-14326"], "description": "This release of Red Hat build of Quarkus 1.3.4 SP1 includes security updates, bug fixes, and enhancements. For more information, see the release notes page listed in the References section.\n\nSecurity Fix(es):\n\n* postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML(CVE-2020-13692)\n\n* RESTEasy: Caching routes in RootNode may result in DoS (CVE-2020-14326)\n\nFor more details about the security issues and their impact, the CVSS score, acknowledgments, and other related information see the CVE pages listed in the References section.", "modified": "2020-07-30T17:32:35", "published": "2020-07-30T17:31:37", "id": "RHSA-2020:3248", "href": "https://access.redhat.com/errata/RHSA-2020:3248", "type": "redhat", "title": "(RHSA-2020:3248) Important: Red Hat build of Quarkus 1.3.4 SP1 release and security update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-08T09:42:41", "bulletinFamily": "unix", "cvelist": ["CVE-2020-13692", "CVE-2020-1714"], "description": "Red Hat Decision Manager is an open source decision management platform that combines business rules management, complex event processing, Decision Model & Notation (DMN) execution, and Business Optimizer for solving planning problems. It automates business decisions and makes that logic available to the entire business. \n\nThis release of Red Hat Decision Manager 7.8.1 serves as an update to Red Hat Decision Manager 7.8.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* jdbc-postgresql: postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML (CVE-2020-13692)\n\n* keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution (CVE-2020-1714)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2020-09-08T13:29:34", "published": "2020-09-08T13:26:02", "id": "RHSA-2020:3675", "href": "https://access.redhat.com/errata/RHSA-2020:3675", "type": "redhat", "title": "(RHSA-2020:3675) Important: Red Hat Decision Manager 7.8.1 Security Update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-08T09:41:37", "bulletinFamily": "unix", "cvelist": ["CVE-2020-13692", "CVE-2020-1714"], "description": "Red Hat Process Automation Manager is an open source business process management suite that combines process management and decision service management and enables business and IT users to create, manage, validate, and deploy process applications and decision services.\n\nThis release of Red Hat Process Automation Manager 7.8.1 serves as an update to Red Hat Process Automation Manager 7.8.0, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es):\n\n* jdbc-postgresql: postgresql-jdbc: XML external entity (XXE) vulnerability\nin PgSQLXML (CVE-2020-13692)\n\n* keycloak: Lack of checks in ObjectInputStream leading to Remote Code Execution (CVE-2020-1714)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2020-09-08T13:36:21", "published": "2020-09-08T13:35:31", "id": "RHSA-2020:3678", "href": "https://access.redhat.com/errata/RHSA-2020:3678", "type": "redhat", "title": "(RHSA-2020:3678) Important: Red Hat Process Automation Manager 7.8.1 Security Update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-31T12:05:14", "bulletinFamily": "unix", "cvelist": ["CVE-2020-13692", "CVE-2020-14319", "CVE-2020-14348"], "description": "The release of Red Hat AMQ Online 1.5.2 serves as a replacement for AMQ Online 1.5.1, and includes bug fixes and enhancements, which are documented in the Release Notes document linked in the References.\n\nSecurity Fix(es):\n\n* AMQ Online: CSRF in graphQL requests (CVE-2020-14319)\n\n* postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML (CVE-2020-13692)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2020-07-31T14:49:34", "published": "2020-07-29T19:17:30", "id": "RHSA-2020:3209", "href": "https://access.redhat.com/errata/RHSA-2020:3209", "type": "redhat", "title": "(RHSA-2020:3209) Moderate: AMQ Online 1.5.2 release and security update", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2020-09-14T17:31:09", "description": "From Red Hat Security Advisory 2020:3285 :\n\nThe remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in\nthe RHSA-2020:3285 advisory.\n\n - postgresql-jdbc: XML external entity (XXE) vulnerability\n in PgSQLXML (CVE-2020-13692)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 3, "cvss3": {"score": 7.7, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H"}, "published": "2020-08-06T00:00:00", "title": "Oracle Linux 7 : postgresql-jdbc (ELSA-2020-3285)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-13692"], "modified": "2020-08-06T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:postgresql-jdbc-javadoc", "p-cpe:/a:oracle:linux:postgresql-jdbc", "cpe:/o:oracle:linux:7"], "id": "ORACLELINUX_ELSA-2020-3285.NASL", "href": "https://www.tenable.com/plugins/nessus/139352", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:3285 and \n# Oracle Linux Security Advisory ELSA-2020-3285 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(139352);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/10\");\n\n script_cve_id(\"CVE-2020-13692\");\n script_xref(name:\"RHSA\", value:\"2020:3285\");\n\n script_name(english:\"Oracle Linux 7 : postgresql-jdbc (ELSA-2020-3285)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"From Red Hat Security Advisory 2020:3285 :\n\nThe remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in\nthe RHSA-2020:3285 advisory.\n\n - postgresql-jdbc: XML external entity (XXE) vulnerability\n in PgSQLXML (CVE-2020-13692)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2020-August/010195.html\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected postgresql-jdbc packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:postgresql-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:postgresql-jdbc-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/08/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/08/06\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 7\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"postgresql-jdbc-9.2.1002-8.el7_8\")) flag++;\nif (rpm_check(release:\"EL7\", cpu:\"x86_64\", reference:\"postgresql-jdbc-javadoc-9.2.1002-8.el7_8\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"postgresql-jdbc / postgresql-jdbc-javadoc\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-19T05:33:16", "description": "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:3283 advisory.\n\n - postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML (CVE-2020-13692)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "edition": 3, "cvss3": {"score": 7.7, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H"}, "published": "2020-08-03T00:00:00", "title": "RHEL 8 : postgresql-jdbc (RHSA-2020:3283)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-13692"], "modified": "2020-08-03T00:00:00", "cpe": ["cpe:/a:redhat:rhel_e4s:8.0::appstream", "p-cpe:/a:redhat:enterprise_linux:postgresql-jdbc", "p-cpe:/a:redhat:enterprise_linux:postgresql-jdbc-javadoc", "cpe:/o:redhat:rhel_e4s:8.0"], "id": "REDHAT-RHSA-2020-3283.NASL", "href": "https://www.tenable.com/plugins/nessus/139291", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:3283. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(139291);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/18\");\n\n script_cve_id(\"CVE-2020-13692\");\n script_xref(name:\"RHSA\", value:\"2020:3283\");\n\n script_name(english:\"RHEL 8 : postgresql-jdbc (RHSA-2020:3283)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:3283 advisory.\n\n - postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML (CVE-2020-13692)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/611.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-13692\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:3283\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1852985\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected postgresql-jdbc and / or postgresql-jdbc-javadoc packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-13692\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_cwe_id(611);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/08/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/08/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:8.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:rhel_e4s:8.0::appstream\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:postgresql-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:postgresql-jdbc-javadoc\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nrepositories = {\n 'rhel_e4s_8_0_appstream': [\n 'rhel-8-for-x86_64-appstream-e4s-debug-rpms',\n 'rhel-8-for-x86_64-appstream-e4s-rpms',\n 'rhel-8-for-x86_64-appstream-e4s-source-rpms'\n ]\n};\n\nfound_repos = NULL;\nhost_repo_list = get_kb_list('Host/RedHat/repo-list/*');\nif (!(empty_or_null(host_repo_list))) {\n found_repos = make_list();\n foreach repo_key (keys(repositories)) {\n foreach repo ( repositories[repo_key] ) {\n if (get_kb_item('Host/RedHat/repo-list/' + repo)) {\n append_element(var:found_repos, value:repo_key);\n break;\n }\n }\n }\n if(empty_or_null(found_repos)) audit(AUDIT_RHSA_NOT_AFFECTED, 'RHSA-2020:3283');\n}\n\npkgs = [\n {'reference':'postgresql-jdbc-42.2.3-3.el8_0', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_0_appstream']},\n {'reference':'postgresql-jdbc-javadoc-42.2.3-3.el8_0', 'release':'8', 'el_string':'el8_0', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_0_appstream']}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n repo_list = NULL;\n if (!empty_or_null(package_array['repo_list'])) repo_list = package_array['repo_list'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n repocheck = FALSE;\n if (empty_or_null(found_repos))\n {\n repocheck = TRUE;\n }\n else\n {\n foreach repo (repo_list) {\n if (contains_element(var:found_repos, value:repo))\n {\n repocheck = TRUE;\n break;\n }\n }\n }\n if (repocheck && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n if (empty_or_null(host_repo_list)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'postgresql-jdbc / postgresql-jdbc-javadoc');\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-01T09:37:17", "description": "The remote CentOS Linux 6 host has a package installed that is affected by a vulnerability as referenced in the\nCESA-2020:3284 advisory.\n\n - postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML (CVE-2020-13692)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 4, "cvss3": {"score": 7.7, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H"}, "published": "2020-08-07T00:00:00", "title": "CentOS 6 : postgresql-jdbc (CESA-2020:3284)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-13692"], "modified": "2020-08-07T00:00:00", "cpe": ["cpe:/o:centos:centos:6", "p-cpe:/a:centos:centos:postgresql-jdbc"], "id": "CENTOS_RHSA-2020-3284.NASL", "href": "https://www.tenable.com/plugins/nessus/139424", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:3284 and\n# CentOS Errata and Security Advisory 2020:3284 respectively.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(139424);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/30\");\n\n script_cve_id(\"CVE-2020-13692\");\n script_xref(name:\"RHSA\", value:\"2020:3284\");\n\n script_name(english:\"CentOS 6 : postgresql-jdbc (CESA-2020:3284)\");\n script_summary(english:\"Checks the rpm output for the updated package\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote CentOS Linux host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote CentOS Linux 6 host has a package installed that is affected by a vulnerability as referenced in the\nCESA-2020:3284 advisory.\n\n - postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML (CVE-2020-13692)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://lists.centos.org/pipermail/centos-announce/2020-August/035794.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2ec77748\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/611.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected postgresql-jdbc package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-13692\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_cwe_id(611);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/08/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/08/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:postgresql-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CentOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/CentOS/release');\nif (isnull(release) || 'CentOS' >!< release) audit(AUDIT_OS_NOT, 'CentOS');\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'CentOS');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'CentOS 6.x', 'CentOS ' + os_ver);\n\nif (!get_kb_item('Host/CentOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'CentOS', cpu);\n\npkgs = [\n {'reference':'postgresql-jdbc-8.4.704-4.el6_10', 'sp':'10', 'release':'CentOS-6'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'postgresql-jdbc');\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-14T17:30:58", "description": "From Red Hat Security Advisory 2020:3176 :\n\nThe remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in\nthe RHSA-2020:3176 advisory.\n\n - postgresql-jdbc: XML external entity (XXE) vulnerability\n in PgSQLXML (CVE-2020-13692)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 3, "cvss3": {"score": 7.7, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H"}, "published": "2020-07-30T00:00:00", "title": "Oracle Linux 8 : postgresql-jdbc (ELSA-2020-3176)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-13692"], "modified": "2020-07-30T00:00:00", "cpe": ["cpe:/o:oracle:linux:8", "p-cpe:/a:oracle:linux:postgresql-jdbc-javadoc", "p-cpe:/a:oracle:linux:postgresql-jdbc"], "id": "ORACLELINUX_ELSA-2020-3176.NASL", "href": "https://www.tenable.com/plugins/nessus/139162", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:3176 and \n# Oracle Linux Security Advisory ELSA-2020-3176 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(139162);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/03\");\n\n script_cve_id(\"CVE-2020-13692\");\n script_xref(name:\"RHSA\", value:\"2020:3176\");\n\n script_name(english:\"Oracle Linux 8 : postgresql-jdbc (ELSA-2020-3176)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"From Red Hat Security Advisory 2020:3176 :\n\nThe remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in\nthe RHSA-2020:3176 advisory.\n\n - postgresql-jdbc: XML external entity (XXE) vulnerability\n in PgSQLXML (CVE-2020-13692)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2020-July/010172.html\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected postgresql-jdbc packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:postgresql-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:postgresql-jdbc-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:8\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/30\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 8\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"postgresql-jdbc-42.2.3-3.el8_2\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"postgresql-jdbc-javadoc-42.2.3-3.el8_2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"postgresql-jdbc / postgresql-jdbc-javadoc\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-01T09:37:17", "description": "The remote CentOS Linux 7 host has packages installed that are affected by a vulnerability as referenced in the\nCESA-2020:3285 advisory.\n\n - postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML (CVE-2020-13692)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 4, "cvss3": {"score": 7.7, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H"}, "published": "2020-08-07T00:00:00", "title": "CentOS 7 : postgresql-jdbc (CESA-2020:3285)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-13692"], "modified": "2020-08-07T00:00:00", "cpe": ["cpe:/o:centos:centos:7", "p-cpe:/a:centos:centos:postgresql-jdbc-javadoc", "p-cpe:/a:centos:centos:postgresql-jdbc"], "id": "CENTOS_RHSA-2020-3285.NASL", "href": "https://www.tenable.com/plugins/nessus/139418", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:3285 and\n# CentOS Errata and Security Advisory 2020:3285 respectively.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(139418);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/30\");\n\n script_cve_id(\"CVE-2020-13692\");\n script_xref(name:\"RHSA\", value:\"2020:3285\");\n\n script_name(english:\"CentOS 7 : postgresql-jdbc (CESA-2020:3285)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote CentOS Linux host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote CentOS Linux 7 host has packages installed that are affected by a vulnerability as referenced in the\nCESA-2020:3285 advisory.\n\n - postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML (CVE-2020-13692)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://lists.centos.org/pipermail/centos-announce/2020-August/035788.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fae151e6\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/611.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected postgresql-jdbc and / or postgresql-jdbc-javadoc packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-13692\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_cwe_id(611);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/08/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/08/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:postgresql-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:postgresql-jdbc-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CentOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/CentOS/release');\nif (isnull(release) || 'CentOS' >!< release) audit(AUDIT_OS_NOT, 'CentOS');\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'CentOS');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'CentOS 7.x', 'CentOS ' + os_ver);\n\nif (!get_kb_item('Host/CentOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'CentOS', cpu);\n\npkgs = [\n {'reference':'postgresql-jdbc-9.2.1002-8.el7_8', 'sp':'8', 'release':'CentOS-7'},\n {'reference':'postgresql-jdbc-javadoc-9.2.1002-8.el7_8', 'sp':'8', 'release':'CentOS-7'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'postgresql-jdbc / postgresql-jdbc-javadoc');\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-08-12T02:05:28", "description": "fixed XML external entity (XXE) vulnerability\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 2, "cvss3": {"score": 7.7, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H"}, "published": "2020-08-07T00:00:00", "title": "Fedora 32 : postgresql-jdbc (2020-5a31ccfe66)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-13692"], "modified": "2020-08-07T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:postgresql-jdbc", "cpe:/o:fedoraproject:fedora:32"], "id": "FEDORA_2020-5A31CCFE66.NASL", "href": "https://www.tenable.com/plugins/nessus/139390", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2020-5a31ccfe66.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(139390);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/11\");\n\n script_cve_id(\"CVE-2020-13692\");\n script_xref(name:\"FEDORA\", value:\"2020-5a31ccfe66\");\n\n script_name(english:\"Fedora 32 : postgresql-jdbc (2020-5a31ccfe66)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"fixed XML external entity (XXE) vulnerability\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2020-5a31ccfe66\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected postgresql-jdbc package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:postgresql-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:32\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/08/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/08/07\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^32([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 32\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC32\", reference:\"postgresql-jdbc-42.2.12-2.fc32\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"postgresql-jdbc\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-19T05:33:17", "description": "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:3286 advisory.\n\n - postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML (CVE-2020-13692)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "edition": 3, "cvss3": {"score": 7.7, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H"}, "published": "2020-08-03T00:00:00", "title": "RHEL 8 : postgresql-jdbc (RHSA-2020:3286)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-13692"], "modified": "2020-08-03T00:00:00", "cpe": ["cpe:/o:redhat:rhel_eus:8.1", "cpe:/a:redhat:rhel_eus:8.1::appstream", "cpe:/o:redhat:rhel_e4s:8.1", "cpe:/a:redhat:rhel_e4s:8.1::appstream", "p-cpe:/a:redhat:enterprise_linux:postgresql-jdbc", "p-cpe:/a:redhat:enterprise_linux:postgresql-jdbc-javadoc"], "id": "REDHAT-RHSA-2020-3286.NASL", "href": "https://www.tenable.com/plugins/nessus/139290", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:3286. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(139290);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/18\");\n\n script_cve_id(\"CVE-2020-13692\");\n script_xref(name:\"RHSA\", value:\"2020:3286\");\n\n script_name(english:\"RHEL 8 : postgresql-jdbc (RHSA-2020:3286)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2020:3286 advisory.\n\n - postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML (CVE-2020-13692)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/611.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-13692\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:3286\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1852985\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected postgresql-jdbc and / or postgresql-jdbc-javadoc packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-13692\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_cwe_id(611);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/08/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/08/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:8.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:8.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:rhel_e4s:8.1::appstream\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:rhel_eus:8.1::appstream\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:postgresql-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:postgresql-jdbc-javadoc\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/RedHat/release');\nif (isnull(release) || 'Red Hat' >!< release) audit(AUDIT_OS_NOT, 'Red Hat');\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^8\\.1([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Red Hat 8.1', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nrepositories = {\n 'rhel_e4s_8_1_appstream': [\n 'rhel-8-for-x86_64-appstream-e4s-debug-rpms',\n 'rhel-8-for-x86_64-appstream-e4s-rpms',\n 'rhel-8-for-x86_64-appstream-e4s-source-rpms'\n ],\n 'rhel_eus_8_1_appstream': [\n 'rhel-8-for-aarch64-appstream-eus-debug-rpms',\n 'rhel-8-for-aarch64-appstream-eus-rpms',\n 'rhel-8-for-aarch64-appstream-eus-source-rpms',\n 'rhel-8-for-s390x-appstream-eus-debug-rpms',\n 'rhel-8-for-s390x-appstream-eus-rpms',\n 'rhel-8-for-s390x-appstream-eus-source-rpms',\n 'rhel-8-for-x86_64-appstream-e4s-debug-rpms',\n 'rhel-8-for-x86_64-appstream-e4s-rpms',\n 'rhel-8-for-x86_64-appstream-e4s-source-rpms',\n 'rhel-8-for-x86_64-appstream-eus-debug-rpms',\n 'rhel-8-for-x86_64-appstream-eus-rpms',\n 'rhel-8-for-x86_64-appstream-eus-source-rpms'\n ]\n};\n\nfound_repos = NULL;\nhost_repo_list = get_kb_list('Host/RedHat/repo-list/*');\nif (!(empty_or_null(host_repo_list))) {\n found_repos = make_list();\n foreach repo_key (keys(repositories)) {\n foreach repo ( repositories[repo_key] ) {\n if (get_kb_item('Host/RedHat/repo-list/' + repo)) {\n append_element(var:found_repos, value:repo_key);\n break;\n }\n }\n }\n if(empty_or_null(found_repos)) audit(AUDIT_RHSA_NOT_AFFECTED, 'RHSA-2020:3286');\n}\n\npkgs = [\n {'reference':'postgresql-jdbc-42.2.3-3.el8_1', 'sp':'1', 'release':'8', 'el_string':'el8_1', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_appstream', 'rhel_eus_8_1_appstream']},\n {'reference':'postgresql-jdbc-javadoc-42.2.3-3.el8_1', 'sp':'1', 'release':'8', 'el_string':'el8_1', 'rpm_spec_vers_cmp':TRUE, 'repo_list':['rhel_e4s_8_1_appstream', 'rhel_eus_8_1_appstream']}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n repo_list = NULL;\n if (!empty_or_null(package_array['repo_list'])) repo_list = package_array['repo_list'];\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n repocheck = FALSE;\n if (empty_or_null(found_repos))\n {\n repocheck = TRUE;\n }\n else\n {\n foreach repo (repo_list) {\n if (contains_element(var:found_repos, value:repo))\n {\n repocheck = TRUE;\n break;\n }\n }\n }\n if (repocheck && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n if (empty_or_null(host_repo_list)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'postgresql-jdbc / postgresql-jdbc-javadoc');\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-14T13:13:24", "description": "The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by a\nvulnerability as referenced in the ALAS2-2020-1482 advisory.\n\n - PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE. (CVE-2020-13692)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 2, "cvss3": {"score": 7.7, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H"}, "published": "2020-09-02T00:00:00", "title": "Amazon Linux 2 : postgresql-jdbc (ALAS-2020-1482)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-13692"], "modified": "2020-09-02T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:postgresql-jdbc", "cpe:/o:amazon:linux:2", "p-cpe:/a:amazon:linux:postgresql-jdbc-javadoc"], "id": "AL2_ALAS-2020-1482.NASL", "href": "https://www.tenable.com/plugins/nessus/140194", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux 2 Security Advisory ALAS-2020-1482.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(140194);\n script_version(\"1.1\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/02\");\n\n script_cve_id(\"CVE-2020-13692\");\n script_xref(name:\"ALAS\", value:\"2020-1482\");\n\n script_name(english:\"Amazon Linux 2 : postgresql-jdbc (ALAS-2020-1482)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Amazon Linux 2 host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by a\nvulnerability as referenced in the ALAS2-2020-1482 advisory.\n\n - PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE. (CVE-2020-13692)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/AL2/ALAS-2020-1482.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-13692\");\n script_set_attribute(attribute:\"solution\", value:\n\"Run 'yum update postgresql-jdbc' to update your system.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-13692\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:postgresql-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:postgresql-jdbc-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux:2\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"2\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux 2\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\npkgs = [\n {'reference':'postgresql-jdbc-9.2.1002-8.amzn2', 'release':'AL2'},\n {'reference':'postgresql-jdbc-javadoc-9.2.1002-8.amzn2', 'release':'AL2'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, cpu:cpu, reference:reference, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"postgresql-jdbc / postgresql-jdbc-javadoc\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-01T14:10:58", "description": "Security Fix(es) :\n\n - postgresql-jdbc: XML external entity (XXE) vulnerability\n in PgSQLXML (CVE-2020-13692)", "edition": 2, "cvss3": {"score": 7.7, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H"}, "published": "2020-08-06T00:00:00", "title": "Scientific Linux Security Update : postgresql-jdbc on SL7.x (noarch) (20200803)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-13692"], "modified": "2020-08-06T00:00:00", "cpe": ["x-cpe:/o:fermilab:scientific_linux", "p-cpe:/a:fermilab:scientific_linux:postgresql-jdbc", "p-cpe:/a:fermilab:scientific_linux:postgresql-jdbc-javadoc"], "id": "SL_20200803_POSTGRESQL_JDBC_ON_SL7_X.NASL", "href": "https://www.tenable.com/plugins/nessus/139354", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(139354);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/30\");\n\n script_cve_id(\"CVE-2020-13692\");\n\n script_name(english:\"Scientific Linux Security Update : postgresql-jdbc on SL7.x (noarch) (20200803)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Security Fix(es) :\n\n - postgresql-jdbc: XML external entity (XXE) vulnerability\n in PgSQLXML (CVE-2020-13692)\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind2008&L=SCIENTIFIC-LINUX-ERRATA&P=1347\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5ef746e2\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Update the affected postgresql-jdbc and / or postgresql-jdbc-javadoc\npackages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-13692\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:postgresql-jdbc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:postgresql-jdbc-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/08/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/08/06\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 7.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL7\", reference:\"postgresql-jdbc-9.2.1002-8.el7_8\")) flag++;\nif (rpm_check(release:\"SL7\", reference:\"postgresql-jdbc-javadoc-9.2.1002-8.el7_8\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"postgresql-jdbc / postgresql-jdbc-javadoc\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-14T17:31:08", "description": "The remote Oracle Linux 6 host has a package installed that is affected by a vulnerability as referenced in the\nELSA-2020-3284 advisory.\n\n - PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE. (CVE-2020-13692)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 3, "cvss3": {"score": 7.7, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H"}, "published": "2020-08-12T00:00:00", "title": "Oracle Linux 6 : postgresql-jdbc (ELSA-2020-3284)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-13692"], "modified": "2020-08-12T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:postgresql-jdbc"], "id": "ORACLELINUX_ELSA-2020-3284.NASL", "href": "https://www.tenable.com/plugins/nessus/139351", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2020-3284.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(139351);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/12\");\n\n script_cve_id(\"CVE-2020-13692\");\n\n script_name(english:\"Oracle Linux 6 : postgresql-jdbc (ELSA-2020-3284)\");\n script_summary(english:\"Checks the rpm output for the updated package\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 6 host has a package installed that is affected by a vulnerability as referenced in the\nELSA-2020-3284 advisory.\n\n - PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE. (CVE-2020-13692)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://linux.oracle.com/errata/ELSA-2020-3284.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected postgresql-jdbc package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-13692\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/08/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/08/12\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:postgresql-jdbc\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 6', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\n\npkgs = [\n {'reference':'postgresql-jdbc-8.4.704-4.el6_10', 'release':'6'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'postgresql-jdbc');\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "oraclelinux": [{"lastseen": "2020-08-04T19:38:25", "bulletinFamily": "unix", "cvelist": ["CVE-2020-13692"], "description": "[9.2.1002-8]\n- require explicitly jdk-1.7 due to ABI bytecode compatibility\n[9.2.1002-7]\n- fixed XXE vulnerability (CVE-2020-13692)", "edition": 2, "modified": "2020-08-04T00:00:00", "published": "2020-08-04T00:00:00", "id": "ELSA-2020-3285", "href": "http://linux.oracle.com/errata/ELSA-2020-3285.html", "title": "postgresql-jdbc security update", "type": "oraclelinux", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-29T23:32:19", "bulletinFamily": "unix", "cvelist": ["CVE-2020-13692"], "description": "[42.2.3-3]\n- fixed XXE vulnerability unit test\n[42.2.3-2]\n- fixed XXE vulnerability (CVE-2020-13692)", "edition": 1, "modified": "2020-07-29T00:00:00", "published": "2020-07-29T00:00:00", "id": "ELSA-2020-3176", "href": "http://linux.oracle.com/errata/ELSA-2020-3176.html", "title": "postgresql-jdbc security update", "type": "oraclelinux", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-08-04T11:34:40", "bulletinFamily": "unix", "cvelist": ["CVE-2020-13692"], "description": "[8.4.704-4]\n- require explicitly jdk-1.6 due to ABI bytecode compatibility\n[8.4.704-3]\n- fixed XXE vulnerability (CVE-2020-13692)", "edition": 1, "modified": "2020-08-04T00:00:00", "published": "2020-08-04T00:00:00", "id": "ELSA-2020-3284", "href": "http://linux.oracle.com/errata/ELSA-2020-3284.html", "title": "postgresql-jdbc security update", "type": "oraclelinux", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "amazon": [{"lastseen": "2020-11-10T12:36:36", "bulletinFamily": "unix", "cvelist": ["CVE-2020-13692"], "description": "**Issue Overview:**\n\nPostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE. A flaw was found in PostgreSQL JDBC in versions prior to 42.2.13. An XML External Entity (XXE) weakness was found in PostgreSQL JDBC. The highest threat from this vulnerability is to data confidentiality and system availability. ([CVE-2020-13692 __](<https://access.redhat.com/security/cve/CVE-2020-13692>)) \n\n\n \n**Affected Packages:** \n\n\npostgresql-jdbc\n\n \n**Issue Correction:** \nRun _yum update postgresql-jdbc_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n noarch: \n postgresql-jdbc-9.2.1002-8.amzn2.noarch \n postgresql-jdbc-javadoc-9.2.1002-8.amzn2.noarch \n \n src: \n postgresql-jdbc-9.2.1002-8.amzn2.src \n \n \n", "edition": 1, "modified": "2020-09-01T00:40:00", "published": "2020-09-01T00:40:00", "id": "ALAS2-2020-1482", "href": "https://alas.aws.amazon.com/AL2/ALAS-2020-1482.html", "title": "Important: postgresql-jdbc", "type": "amazon", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "fedora": [{"lastseen": "2020-12-21T08:17:56", "bulletinFamily": "unix", "cvelist": ["CVE-2020-13692"], "description": "PostgreSQL is an advanced Object-Relational database management system. The postgresql-jdbc package includes the .jar files needed for Java programs to access a PostgreSQL database. ", "modified": "2020-08-07T01:19:39", "published": "2020-08-07T01:19:39", "id": "FEDORA:1620B30A0F0E", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 32 Update: postgresql-jdbc-42.2.12-2.fc32", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "centos": [{"lastseen": "2020-08-07T17:40:27", "bulletinFamily": "unix", "cvelist": ["CVE-2020-13692"], "description": "**CentOS Errata and Security Advisory** CESA-2020:3285\n\n\nPostgreSQL is an advanced object-relational database management system. The postgresql-jdbc package includes the .jar files needed for Java programs to access a PostgreSQL database.\n\nSecurity Fix(es):\n\n* postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML (CVE-2020-13692)\n\nThis update introduces a backwards incompatible change required to resolve this issue. Refer to the Red Hat Knowledgebase article 5266441 linked to in the References section for information on how to re-enable the old insecure behavior.\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2020-August/035788.html\n\n**Affected packages:**\npostgresql-jdbc\npostgresql-jdbc-javadoc\n\n**Upstream details at:**\n", "edition": 1, "modified": "2020-08-07T12:28:04", "published": "2020-08-07T12:28:04", "id": "CESA-2020:3285", "href": "http://lists.centos.org/pipermail/centos-announce/2020-August/035788.html", "title": "postgresql security update", "type": "centos", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-08-07T17:41:02", "bulletinFamily": "unix", "cvelist": ["CVE-2020-13692"], "description": "**CentOS Errata and Security Advisory** CESA-2020:3284\n\n\nPostgreSQL is an advanced object-relational database management system. The postgresql-jdbc package includes the .jar files needed for Java programs to access a PostgreSQL database.\n\nSecurity Fix(es):\n\n* postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML (CVE-2020-13692)\n\nThis update introduces a backwards incompatible change required to resolve this issue. Refer to the Red Hat Knowledgebase article 5266441 linked to in the References section for information on how to re-enable the old insecure behavior.\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2020-August/035794.html\n\n**Affected packages:**\npostgresql-jdbc\n\n**Upstream details at:**\n", "edition": 1, "modified": "2020-08-07T13:00:18", "published": "2020-08-07T13:00:18", "id": "CESA-2020:3284", "href": "http://lists.centos.org/pipermail/centos-announce/2020-August/035794.html", "title": "postgresql security update", "type": "centos", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}