CVE-2012-3488
- ULN >
- Oracle Linux CVE repository >
- CVE-2012-3488
CVE Details
| Release Date: | 2012-08-17 | |
| Impact: | Moderate | What is this? |
Description
The libxslt support in contrib/xml2 in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 does not properly restrict access to files and URLs, which allows remote authenticated users to modify data, obtain sensitive information, or trigger outbound traffic to arbitrary external hosts by leveraging (1) stylesheet commands that are permitted by the libxslt security options or (2) an xslt_process feature, related to an XML External Entity (aka XXE) issue.
See more information about CVE-2012-3488 from MITRE CVE dictionary and NIST NVD
NOTE: The following CVSS metrics and score provided are preliminary and subject to review.
CVSS v2 metrics
| Base Score: | 3.8 |
| Vector String: | AV:A/AC:M/Au:S/C:P/I:P/A:N |
| Version: | 2.0 |
| Attack Vector: | Adjacent Network |
| Attack Complexity: | Medium |
| Authentication: | Single |
| Confidentiality Impact: | Partial |
| Integrity Impact: | Partial |
| Availability Impact: | None |
Errata information
| Platform | Errata | Release Date |
| Oracle Linux version 5 (postgresql) | ELSA-2012-1264 | 2012-09-13 |
| Oracle Linux version 5 (postgresql84) | ELSA-2012-1263 | 2012-09-13 |
| Oracle Linux version 6 (postgresql) | ELSA-2012-1263 | 2012-09-13 |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections:
- Oracle customers - enter a support request
- Vulnerability scanning tools vendors and project maintainers - follow the standard ISV process
