Rapid7 Vulnerability & Exploit Database

ELSA-2012-1264 Moderate: Oracle Linux postgresql security update

Free InsightVM Trial No credit card necessary

Watch Demo See how it all works

Back to Search

ELSA-2012-1264 Moderate: Oracle Linux postgresql security update

Severity

CVSS

(AV:N/AC:M/Au:S/C:P/I:P/A:N)

Published

09/14/2012

Created

07/25/2018

Added

09/14/2012

Modified

07/04/2017

Description

The libxslt support in contrib/xml2 in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 does not properly restrict access to files and URLs, which allows remote authenticated users to modify data, obtain sensitive information, or trigger outbound traffic to arbitrary external hosts by leveraging (1) stylesheet commands that are permitted by the libxslt security options or (2) an xslt_process feature, related to an XML External Entity (aka XXE) issue.

Solution(s)

oracle-linux-upgrade-postgresql
oracle-linux-upgrade-postgresql-contrib
oracle-linux-upgrade-postgresql-devel
oracle-linux-upgrade-postgresql-docs
oracle-linux-upgrade-postgresql-libs
oracle-linux-upgrade-postgresql-pl
oracle-linux-upgrade-postgresql-python
oracle-linux-upgrade-postgresql-server
oracle-linux-upgrade-postgresql-tcl
oracle-linux-upgrade-postgresql-test

References

https://attackerkb.com/topics/cve-2012-3488
APPLE-SA-2013-03-14-1
55072
CVE - 2012-3488
DSA-2534
RHSA-2012:1263
RHSA-2012:1264
http://oss.oracle.com/pipermail/el-errata/2012-September/003028.html

Advanced vulnerability management analytics and reporting.

Key Features

Free InsightVM Trial View All Features

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;