CVE-2012-3489
moderate-risk
Published 2012-10-03
The xml_parse function in the libxml2 support in the core server component in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 allows remote authenticated users to determine the existence of arbitrary files or URLs, and possibly obtain file or URL content that triggers a parsing error, via an XML value that refers to (1) a DTD or (2) an entity, related to an XML External Entity (aka XXE) issue.
Do I need to act?
-
0.96% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.5/10
Medium
NETWORK
/ LOW complexity
Affected Products (19)
References (42)
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2012-1263.html
Broken Link
http://secunia.com/advisories/50635
Broken Link
http://secunia.com/advisories/50718
Broken Link
http://secunia.com/advisories/50859
Broken Link
http://secunia.com/advisories/50946
Mailing List
http://www.debian.org/security/2012/dsa-2534
Vendor Advisory
http://www.postgresql.org/about/news/1407/
Release Notes
http://www.postgresql.org/support/security/
Broken Link
http://www.securityfocus.com/bid/55074
Third Party Advisory
http://www.ubuntu.com/usn/USN-1542-1
Third Party Advisory
https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_postgresq...
and 22 more references
46
/ 100
moderate-risk
Severity
24/34 · High
Exploitability
3/34 · Minimal
Exposure
19/34 · Moderate