CVE-2012-3489 — MEDIUM (6.5)

Q: How severe is CVE-2012-3489?

CVE-2012-3489 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2012-3489?

Check the references section above for vendor advisories and patch information. Affected products include: Postgresql Postgresql, Opensuse Opensuse, Apple Mac Os X Server, Canonical Ubuntu Linux, Debian Debian Linux.

Vulnerability Description

The xml_parse function in the libxml2 support in the core server component in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 allows remote authenticated users to determine the existence of arbitrary files or URLs, and possibly obtain file or URL content that triggers a parsing error, via an XML value that refers to (1) a DTD or (2) an entity, related to an XML External Entity (aka XXE) issue.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Postgresql	Postgresql	>= 8.3.0, < 8.3.20
Opensuse	Opensuse	11.4
Apple	Mac Os X Server	>= 10.7.0, <= 10.7.5
Canonical	Ubuntu Linux	8.04
Debian	Debian Linux	6.0
Redhat	Enterprise Linux Desktop	5.0
Redhat	Enterprise Linux Eus	6.3
Redhat	Enterprise Linux Server	5.0
Redhat	Enterprise Linux Workstation	5.0

Related Weaknesses (CWE)

CWE-611

References

http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.htmlMailing List
http://lists.opensuse.org/opensuse-updates/2012-09/msg00102.htmlMailing List
http://lists.opensuse.org/opensuse-updates/2012-10/msg00013.htmlMailing List
http://lists.opensuse.org/opensuse-updates/2012-10/msg00024.htmlMailing List
http://rhn.redhat.com/errata/RHSA-2012-1263.htmlThird Party Advisory
http://secunia.com/advisories/50635Broken Link
http://secunia.com/advisories/50718Broken Link
http://secunia.com/advisories/50859Broken Link
http://secunia.com/advisories/50946Broken Link
http://www.debian.org/security/2012/dsa-2534Mailing List
http://www.mandriva.com/security/advisories?name=MDVSA-2012:139Broken Link
http://www.postgresql.org/about/news/1407/Vendor Advisory
http://www.postgresql.org/docs/8.3/static/release-8-3-20.htmlRelease Notes
http://www.postgresql.org/docs/8.4/static/release-8-4-13.htmlRelease Notes
http://www.postgresql.org/docs/9.0/static/release-9-0-9.htmlRelease Notes

FAQ

What is CVE-2012-3489?

CVE-2012-3489 is a vulnerability with a CVSS score of 6.5 (MEDIUM). The xml_parse function in the libxml2 support in the core server component in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 allows remote authenticated users ...

How severe is CVE-2012-3489?

CVE-2012-3489 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2012-3489?

Check the references section above for vendor advisories and patch information. Affected products include: Postgresql Postgresql, Opensuse Opensuse, Apple Mac Os X Server, Canonical Ubuntu Linux, Debian Debian Linux.