CVE-2012-3489

The xml_parse function in the libxml2 support in the core server component in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 allows remote authenticated users to determine the existence of arbitrary files or URLs, and possibly obtain file or URL content that triggers a parsing error, via an XML value that refers to (1) a DTD or (2) an entity, related to an XML External Entity (aka XXE) issue.
References
Link Resource
http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html Mailing List
http://lists.opensuse.org/opensuse-updates/2012-09/msg00102.html Mailing List
http://lists.opensuse.org/opensuse-updates/2012-10/msg00013.html Mailing List
http://lists.opensuse.org/opensuse-updates/2012-10/msg00024.html Mailing List
http://rhn.redhat.com/errata/RHSA-2012-1263.html Third Party Advisory
http://secunia.com/advisories/50635 Broken Link
http://secunia.com/advisories/50718 Broken Link
http://secunia.com/advisories/50859 Broken Link
http://secunia.com/advisories/50946 Broken Link
http://www.debian.org/security/2012/dsa-2534 Mailing List
http://www.mandriva.com/security/advisories?name=MDVSA-2012:139 Broken Link
http://www.postgresql.org/about/news/1407/ Vendor Advisory
http://www.postgresql.org/docs/8.3/static/release-8-3-20.html Release Notes
http://www.postgresql.org/docs/8.4/static/release-8-4-13.html Release Notes
http://www.postgresql.org/docs/9.0/static/release-9-0-9.html Release Notes
http://www.postgresql.org/docs/9.1/static/release-9-1-5.html Release Notes
http://www.postgresql.org/support/security/ Release Notes Vendor Advisory
http://www.securityfocus.com/bid/55074 Broken Link Third Party Advisory VDB Entry
http://www.ubuntu.com/usn/USN-1542-1 Third Party Advisory
https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_postgresql2 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=849173 Issue Tracking Patch Release Notes
http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html Mailing List
http://lists.opensuse.org/opensuse-updates/2012-09/msg00102.html Mailing List
http://lists.opensuse.org/opensuse-updates/2012-10/msg00013.html Mailing List
http://lists.opensuse.org/opensuse-updates/2012-10/msg00024.html Mailing List
http://rhn.redhat.com/errata/RHSA-2012-1263.html Third Party Advisory
http://secunia.com/advisories/50635 Broken Link
http://secunia.com/advisories/50718 Broken Link
http://secunia.com/advisories/50859 Broken Link
http://secunia.com/advisories/50946 Broken Link
http://www.debian.org/security/2012/dsa-2534 Mailing List
http://www.mandriva.com/security/advisories?name=MDVSA-2012:139 Broken Link
http://www.postgresql.org/about/news/1407/ Vendor Advisory
http://www.postgresql.org/docs/8.3/static/release-8-3-20.html Release Notes
http://www.postgresql.org/docs/8.4/static/release-8-4-13.html Release Notes
http://www.postgresql.org/docs/9.0/static/release-9-0-9.html Release Notes
http://www.postgresql.org/docs/9.1/static/release-9-1-5.html Release Notes
http://www.postgresql.org/support/security/ Release Notes Vendor Advisory
http://www.securityfocus.com/bid/55074 Broken Link Third Party Advisory VDB Entry
http://www.ubuntu.com/usn/USN-1542-1 Third Party Advisory
https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_postgresql2 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=849173 Issue Tracking Patch Release Notes
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:opensuse:opensuse:11.4:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:opensuse:12.1:*:*:*:*:*:*:*
cpe:2.3:o:opensuse:opensuse:12.2:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:o:apple:mac_os_x_server:*:*:*:*:*:*:*:*
cpe:2.3:o:apple:mac_os_x_server:10.6.8:*:*:*:*:*:*:*

Configuration 4 (hide)

OR cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:-:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:-:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:11.04:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:11.10:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*

Configuration 5 (hide)

cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*

Configuration 6 (hide)

OR cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:6.3:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:5.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*

History

No history.

Information

Published : 2012-10-03 21:55

Updated : 2025-04-11 00:51


NVD link : CVE-2012-3489

Mitre link : CVE-2012-3489

CVE.ORG link : CVE-2012-3489


JSON object : View

Products Affected

redhat

  • enterprise_linux_workstation
  • enterprise_linux_eus
  • enterprise_linux_desktop
  • enterprise_linux_server

apple

  • mac_os_x_server

debian

  • debian_linux

postgresql

  • postgresql

canonical

  • ubuntu_linux

opensuse

  • opensuse
CWE
CWE-611

Improper Restriction of XML External Entity Reference