Lucene search

K
ubuntucveUbuntu.comUB:CVE-2012-3488
HistoryAug 17, 2012 - 12:00 a.m.

CVE-2012-3488

2012-08-1700:00:00
ubuntu.com
ubuntu.com
9

CVSS2

4.9

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:P/I:P/A:N

EPSS

0.002

Percentile

54.2%

The libxslt support in contrib/xml2 in PostgreSQL 8.3 before 8.3.20, 8.4
before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 does not properly
restrict access to files and URLs, which allows remote authenticated users
to modify data, obtain sensitive information, or trigger outbound traffic
to arbitrary external hosts by leveraging (1) stylesheet commands that are
permitted by the libxslt security options or (2) an xslt_process feature,
related to an XML External Entity (aka XXE) issue.

OSVersionArchitecturePackageVersionFilename
ubuntu8.04noarchpostgresql-8.3< 8.3.20-0ubuntu8.04UNKNOWN
ubuntu10.04noarchpostgresql-8.4< 8.4.13-0ubuntu10.04UNKNOWN
ubuntu11.04noarchpostgresql-8.4< 8.4.13-0ubuntu11.04UNKNOWN
ubuntu12.04noarchpostgresql-8.4< 8.4.22-0ubuntu0.12.04UNKNOWN
ubuntu11.10noarchpostgresql-9.1< 9.1.5-0ubuntu11.10UNKNOWN
ubuntu12.04noarchpostgresql-9.1< 9.1.5-0ubuntu12.04UNKNOWN

CVSS2

4.9

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:P/I:P/A:N

EPSS

0.002

Percentile

54.2%