Select your cookie preferences

We use cookies and similar tools to enhance your experience, provide our services, deliver relevant advertising, and make improvements. Approved third parties also use these tools to help us deliver advertising and provide certain site features.

CVE-2012-3488

Public on 2012-09-04
Modified on 2014-09-14
Description

The libxslt support in contrib/xml2 in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 does not properly restrict access to files and URLs, which allows remote authenticated users to modify data, obtain sensitive information, or trigger outbound traffic to arbitrary external hosts by leveraging (1) stylesheet commands that are permitted by the libxslt security options or (2) an xslt_process feature, related to an XML External Entity (aka XXE) issue.

Severity
Medium
See what this means
CVSS v3 Base Score
3.8
See breakdown
Continue reading

Affected Packages

Platform Package Release Date Advisory
Amazon Linux 1 postgresql8 2012-09-22 21:38 ALAS-2012-129
Amazon Linux 1 postgresql9 2012-09-04 10:23 ALAS-2012-121

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv2 3.8 AV:A/AC:M/Au:S/C:P/I:P/A:N
NVD CVSSv2 4.9 AV:N/AC:M/Au:S/C:P/I:P/A:N