Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2012-3489

Overview

Vulnerability Score 4.0 4.0
CVE Id CVE-2012-3489
Last Modified 10 Oct 2013 03:23:41
Published 03 Oct 2012 05:55:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact NONE NONE
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity LOW
Authentication SINGLE_INSTANCE

CVE-2012-3489

Summary

The xml_parse function in the libxml2 support in the core server component in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 allows remote authenticated users to determine the existence of arbitrary files or URLs, and possibly obtain file or URL content that triggers a parsing error, via an XML value that refers to (1) a DTD or (2) an entity, related to an XML External Entity (aka XXE) issue.

Vulnerable Systems

Application

  • Postgresql 8.3

  • Postgresql 8.3.1

  • Postgresql 8.3.10

  • Postgresql 8.3.11

  • Postgresql 8.3.12

  • Postgresql 8.3.13

  • Postgresql 8.3.14

  • Postgresql 8.3.15

  • Postgresql 8.3.16

  • Postgresql 8.3.17

  • Postgresql 8.3.18

  • Postgresql 8.3.19

  • Postgresql 8.3.2

  • Postgresql 8.3.3

  • Postgresql 8.3.4

  • Postgresql 8.3.5

  • Postgresql 8.3.6

  • Postgresql 8.3.7

  • Postgresql 8.3.8

  • Postgresql 8.3.9

  • Postgresql 8.4

  • Postgresql 8.4.1

  • Postgresql 8.4.10

  • Postgresql 8.4.11

  • Postgresql 8.4.12

  • Postgresql 8.4.2

  • Postgresql 8.4.3

  • Postgresql 8.4.4

  • Postgresql 8.4.5

  • Postgresql 8.4.6

  • Postgresql 8.4.7

  • Postgresql 8.4.8

  • Postgresql 8.4.9

  • Postgresql 9.0

  • Postgresql 9.0.1

  • Postgresql 9.0.2

  • Postgresql 9.0.3

  • Postgresql 9.0.4

  • Postgresql 9.0.5

  • Postgresql 9.0.6

  • Postgresql 9.0.7

  • Postgresql 9.0.8

  • Postgresql 9.1

  • Postgresql 9.1.1

  • Postgresql 9.1.2

  • Postgresql 9.1.3

  • Postgresql 9.1.4


References

CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=849173

CONFIRM - http://www.postgresql.org/support/security/

CONFIRM - http://www.postgresql.org/docs/9.1/static/release-9-1-5.html

CONFIRM - http://www.postgresql.org/docs/9.0/static/release-9-0-9.html

CONFIRM - http://www.postgresql.org/docs/8.4/static/release-8-4-13.html

CONFIRM - http://www.postgresql.org/docs/8.3/static/release-8-3-20.html

CONFIRM - http://www.postgresql.org/about/news/1407/

SUSE - openSUSE-SU-2012:1299

DEBIAN - DSA-2534

REDHAT - RHSA-2012:1263

SUSE - openSUSE-SU-2012:1288

SUSE - openSUSE-SU-2012:1251

BID - 55074

APPLE - APPLE-SA-2013-03-14-1

UBUNTU - USN-1542-1

MANDRIVA - MDVSA-2012:139

SECUNIA - 50635

SECUNIA - 50718

CONFIRM - https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_postgresql2

SECUNIA - 50946

SECUNIA - 50859

Related Patches

Apple 2013-03-14 Security Update 2013-001 Server (Lion)

Apple 2013-03-14 Security Update 2013-001 Server (Snow Leopard)

Red Hat 2012:1263-01 RHSA Moderate: postgresql and postgresql84 security update for RHEL 5 x86

Novell SUSE 2012:6697 postgresql security update for SLE 11 SP1 i586

Novell SUSE 2012:6697 postgresql security update for SLE 11 SP1 x86_64

Novell SUSE 2012:8311 postgresql security update for SLE 10 SP4 i586

Novell SUSE 2012:8311 postgresql security update for SLE 10 SP4 x86_64


Last Updated: 27 May 2016 11:00:52