Vulnerability & Exploit Database

Back to search

RHSA-2012:1263: postgresql and postgresql84 security update

Severity CVSS Published Added Modified
5 (AV:N/AC:M/Au:S/C:P/I:P/A:N) September 13, 2012 September 17, 2012 July 04, 2017


PostgreSQL is an advanced object-relational database management system(DBMS).It was found that the optional PostgreSQL xml2 contrib module allowed localfiles and remote URLs to be read and written to with the privileges of thedatabase server when parsing Extensible Stylesheet Language Transformations(XSLT). An unprivileged database user could use this flaw to read and writeto local files (such as the database's configuration files) and remote URLsthey would otherwise not have access to by issuing a specially-crafted SQLquery. (CVE-2012-3488)It was found that the "xml" data type allowed local files and remote URLsto be read with the privileges of the database server to resolve DTD andentity references in the provided XML. An unprivileged database user coulduse this flaw to read local files they would otherwise not have access toby issuing a specially-crafted SQL query. Note that the full contents ofthe files were not returned, but portions could be displayed to the uservia error messages. (CVE-2012-3489)Red Hat would like to thank the PostgreSQL project for reporting theseissues. Upstream acknowledges Peter Eisentraut as the original reporter ofCVE-2012-3488, and Noah Misch as the original reporter of CVE-2012-3489.These updated packages upgrade PostgreSQL to version 8.4.13. Refer to thePostgreSQL Release Notes for a list of changes: PostgreSQL users are advised to upgrade to these updated packages,which correct these issues. If the postgresql service is running, it willbe automatically restarted after installing this update.

Scan For This Vulnerability

Use our top-rated tool to discover, prioritize, and remediate your vulnerabilities

 Free InsightVM Trial




Related Vulnerabilities