CVE-2012-3488
module): XXE by applying XSL stylesheet to the document
Severity Score
4.9
*CVSS v2
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
The libxslt support in contrib/xml2 in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 does not properly restrict access to files and URLs, which allows remote authenticated users to modify data, obtain sensitive information, or trigger outbound traffic to arbitrary external hosts by leveraging (1) stylesheet commands that are permitted by the libxslt security options or (2) an xslt_process feature, related to an XML External Entity (aka XXE) issue.
El soporte libxslt en contrib/xml2 en PostgreSQL v8.3 anteriores a v8.3.20, v8.4 anteriores a v8.4.13, v9.0 anteriores a v9.0.9, y v9.1 anteriores a v9.1.5 no restringe el acceso de forma adecuada a ficheros y URLs, lo que permite a atacantes remotos modificar datos y obtener información sensible, o provocar tráfico fuera de los límites a host externos mediante el aprovechamiento de (1)comandos de hoja de estilo que son permitirás por la opción de seguridad de libxslt o (2) la funcionalidad xslt_process, relacionada con la funcionalidad XML External Entity (también conocida como XXE).
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2012-06-14 CVE Reserved
- 2012-08-20 CVE Published
- 2023-08-24 EPSS Updated
- 2024-08-06 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-264: Permissions, Privileges, and Access Controls
CAPEC
References (25)
| URL | Tag | Source |
|---|---|---|
| http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705 | X_refsource_confirm | |
| http://secunia.com/advisories/50635 | Third Party Advisory | |
| http://secunia.com/advisories/50636 | Third Party Advisory | |
| http://secunia.com/advisories/50718 | Third Party Advisory | |
| http://secunia.com/advisories/50859 | Third Party Advisory | |
| http://secunia.com/advisories/50946 | Third Party Advisory | |
| http://www.postgresql.org/docs/8.3/static/release-8-3-20.html | X_refsource_confirm | |
| http://www.postgresql.org/docs/8.4/static/release-8-4-13.html | X_refsource_confirm | |
| http://www.postgresql.org/docs/9.0/static/release-9-0-9.html | X_refsource_confirm | |
| http://www.postgresql.org/docs/9.1/static/release-9-1-5.html | X_refsource_confirm | |
| http://www.securityfocus.com/bid/55072 | Vdb Entry | |
| https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_postgresql2 | X_refsource_confirm |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 9.1 Search vendor "Postgresql" for product "Postgresql" and version "9.1" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 9.1.1 Search vendor "Postgresql" for product "Postgresql" and version "9.1.1" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 9.1.2 Search vendor "Postgresql" for product "Postgresql" and version "9.1.2" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 9.1.3 Search vendor "Postgresql" for product "Postgresql" and version "9.1.3" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 9.1.4 Search vendor "Postgresql" for product "Postgresql" and version "9.1.4" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.4 Search vendor "Postgresql" for product "Postgresql" and version "8.4" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.4.1 Search vendor "Postgresql" for product "Postgresql" and version "8.4.1" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.4.2 Search vendor "Postgresql" for product "Postgresql" and version "8.4.2" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.4.3 Search vendor "Postgresql" for product "Postgresql" and version "8.4.3" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.4.4 Search vendor "Postgresql" for product "Postgresql" and version "8.4.4" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.4.5 Search vendor "Postgresql" for product "Postgresql" and version "8.4.5" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.4.6 Search vendor "Postgresql" for product "Postgresql" and version "8.4.6" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.4.7 Search vendor "Postgresql" for product "Postgresql" and version "8.4.7" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.4.8 Search vendor "Postgresql" for product "Postgresql" and version "8.4.8" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.4.9 Search vendor "Postgresql" for product "Postgresql" and version "8.4.9" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.4.10 Search vendor "Postgresql" for product "Postgresql" and version "8.4.10" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.4.11 Search vendor "Postgresql" for product "Postgresql" and version "8.4.11" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.4.12 Search vendor "Postgresql" for product "Postgresql" and version "8.4.12" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.3 Search vendor "Postgresql" for product "Postgresql" and version "8.3" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.3.1 Search vendor "Postgresql" for product "Postgresql" and version "8.3.1" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.3.2 Search vendor "Postgresql" for product "Postgresql" and version "8.3.2" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.3.3 Search vendor "Postgresql" for product "Postgresql" and version "8.3.3" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.3.4 Search vendor "Postgresql" for product "Postgresql" and version "8.3.4" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.3.5 Search vendor "Postgresql" for product "Postgresql" and version "8.3.5" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.3.6 Search vendor "Postgresql" for product "Postgresql" and version "8.3.6" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.3.7 Search vendor "Postgresql" for product "Postgresql" and version "8.3.7" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.3.8 Search vendor "Postgresql" for product "Postgresql" and version "8.3.8" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.3.9 Search vendor "Postgresql" for product "Postgresql" and version "8.3.9" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.3.10 Search vendor "Postgresql" for product "Postgresql" and version "8.3.10" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.3.11 Search vendor "Postgresql" for product "Postgresql" and version "8.3.11" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.3.12 Search vendor "Postgresql" for product "Postgresql" and version "8.3.12" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.3.13 Search vendor "Postgresql" for product "Postgresql" and version "8.3.13" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.3.14 Search vendor "Postgresql" for product "Postgresql" and version "8.3.14" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.3.15 Search vendor "Postgresql" for product "Postgresql" and version "8.3.15" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.3.16 Search vendor "Postgresql" for product "Postgresql" and version "8.3.16" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.3.17 Search vendor "Postgresql" for product "Postgresql" and version "8.3.17" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.3.18 Search vendor "Postgresql" for product "Postgresql" and version "8.3.18" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.3.19 Search vendor "Postgresql" for product "Postgresql" and version "8.3.19" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 9.0 Search vendor "Postgresql" for product "Postgresql" and version "9.0" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 9.0.1 Search vendor "Postgresql" for product "Postgresql" and version "9.0.1" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 9.0.2 Search vendor "Postgresql" for product "Postgresql" and version "9.0.2" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 9.0.3 Search vendor "Postgresql" for product "Postgresql" and version "9.0.3" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 9.0.4 Search vendor "Postgresql" for product "Postgresql" and version "9.0.4" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 9.0.5 Search vendor "Postgresql" for product "Postgresql" and version "9.0.5" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 9.0.6 Search vendor "Postgresql" for product "Postgresql" and version "9.0.6" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 9.0.7 Search vendor "Postgresql" for product "Postgresql" and version "9.0.7" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 9.0.8 Search vendor "Postgresql" for product "Postgresql" and version "9.0.8" | - |
Affected
| ||||||