what you don't know can hurt you
Showing 1 - 7 of 7 RSS Feed

CVE-2012-3488

Status Candidate

Overview

The libxslt support in contrib/xml2 in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 does not properly restrict access to files and URLs, which allows remote authenticated users to modify data, obtain sensitive information, or trigger outbound traffic to arbitrary external hosts by leveraging (1) stylesheet commands that are permitted by the libxslt security options or (2) an xslt_process feature, related to an XML External Entity (aka XXE) issue.

Related Files

Apple Security Advisory 2013-03-14-1
Posted Mar 15, 2013
Authored by Apple | Site apple.com

Apple Security Advisory 2013-03-14-1 - OS X Mountain Lion version 10.8.3 and Security Update 2013-001 addresses multiple vulnerabilities. These updates address a canonicalization issue with HFS and Apache, a buffer overflow in libtiff, an authentication bypass, and more.

tags | advisory, overflow, vulnerability
systems | apple, osx
advisories | CVE-2011-3058, CVE-2012-2088, CVE-2012-3488, CVE-2012-3489, CVE-2012-3525, CVE-2012-3749, CVE-2012-3756, CVE-2013-0156, CVE-2013-0333, CVE-2013-0963, CVE-2013-0966, CVE-2013-0967, CVE-2013-0969, CVE-2013-0970, CVE-2013-0971, CVE-2013-0973, CVE-2013-0976
MD5 | 8f7aec77733511ca193a5742f3a75d2c
Gentoo Linux Security Advisory 201209-24
Posted Sep 28, 2012
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory 201209-24 - Multiple vulnerabilities have been found in PostgreSQL which may allow a remote attacker to conduct several attacks. Versions less than 9.1.5 are affected.

tags | advisory, remote, vulnerability
systems | linux, gentoo
advisories | CVE-2012-0866, CVE-2012-0867, CVE-2012-0868, CVE-2012-2143, CVE-2012-2655, CVE-2012-3488, CVE-2012-3489
MD5 | b413793adf8cac8b1de5c98182898751
Red Hat Security Advisory 2012-1263-01
Posted Sep 14, 2012
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2012-1263-01 - PostgreSQL is an advanced object-relational database management system. It was found that the optional PostgreSQL xml2 contrib module allowed local files and remote URLs to be read and written to with the privileges of the database server when parsing Extensible Stylesheet Language Transformations. An unprivileged database user could use this flaw to read and write to local files and remote URLs they would otherwise not have access to by issuing a specially-crafted SQL query.

tags | advisory, remote, local
systems | linux, redhat
advisories | CVE-2012-3488, CVE-2012-3489
MD5 | dc0b72e52ec7b2d3cdd90739765ac6ce
Red Hat Security Advisory 2012-1264-01
Posted Sep 14, 2012
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2012-1264-01 - PostgreSQL is an advanced object-relational database management system. It was found that the optional PostgreSQL xml2 contrib module allowed local files and remote URLs to be read and written to with the privileges of the database server when parsing Extensible Stylesheet Language Transformations. An unprivileged database user could use this flaw to read and write to local files and remote URLs they would otherwise not have access to by issuing a specially-crafted SQL query.

tags | advisory, remote, local
systems | linux, redhat
advisories | CVE-2012-3488
MD5 | e229f098882fd647c7ad3dbc18b29536
Debian Security Advisory 2534-1
Posted Aug 26, 2012
Authored by Debian | Site debian.org

Debian Linux Security Advisory 2534-1 - Two vulnerabilities related to XML processing were discovered in PostgreSQL, an SQL database.

tags | advisory, vulnerability
systems | linux, debian
advisories | CVE-2012-3488, CVE-2012-3489
MD5 | a30c700be57c14123525d1f4264e8545
Ubuntu Security Notice USN-1542-1
Posted Aug 21, 2012
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 1542-1 - Peter Eisentraut discovered that the XSLT functionality in the optional XML2 extension would allow unprivileged database users to both read and write data with the privileges of the database server. Noah Misch and Tom Lane discovered that the XML functionality in the optional XML2 extension would allow unprivileged database users to read data with the privileges of the database server.

tags | advisory
systems | linux, ubuntu
advisories | CVE-2012-3488, CVE-2012-3489, CVE-2012-3488, CVE-2012-3489
MD5 | 6395b59e853346b0e385ce61009bf161
Mandriva Linux Security Advisory 2012-139
Posted Aug 20, 2012
Authored by Mandriva | Site mandriva.com

Mandriva Linux Security Advisory 2012-139 - Multiple vulnerabilities has been discovered and corrected in postgresql. libxslt offers the ability to read and write both files and URLs through stylesheet commands, thus allowing unprivileged database users to both read and write data with the privileges of the database server. xml_parse() would attempt to fetch external files or URLs as needed to resolve DTD and entity references in an XML value, thus allowing unprivileged database users to attempt to fetch data with the privileges of the database server. This advisory provides the latest versions of PostgreSQL that is not vulnerable to these issues.

tags | advisory, vulnerability
systems | linux, mandriva
advisories | CVE-2012-3488, CVE-2012-3489
MD5 | b66de77e22452889b471a5c1be59d2a1
Page 1 of 1
Back1Next

File Archive:

July 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    15 Files
  • 2
    Jul 2nd
    19 Files
  • 3
    Jul 3rd
    12 Files
  • 4
    Jul 4th
    1 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    25 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    0 Files
  • 9
    Jul 9th
    0 Files
  • 10
    Jul 10th
    0 Files
  • 11
    Jul 11th
    0 Files
  • 12
    Jul 12th
    0 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close