Unrated severityNVD Advisory· Published Oct 3, 2012· Updated Jun 16, 2026
CVE-2012-3488
CVE-2012-3488
Description
The libxslt support in contrib/xml2 in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 does not properly restrict access to files and URLs, which allows remote authenticated users to modify data, obtain sensitive information, or trigger outbound traffic to arbitrary external hosts by leveraging (1) stylesheet commands that are permitted by the libxslt security options or (2) an xslt_process feature, related to an XML External Entity (aka XXE) issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
51cpe:2.3:a:postgresql:postgresql:8.3:*:*:*:*:*:*:*+ 47 more
- cpe:2.3:a:postgresql:postgresql:8.3:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:8.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:8.3.10:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:8.3.11:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:8.3.12:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:8.3.13:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:8.3.14:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:8.3.15:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:8.3.16:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:8.3.17:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:8.3.18:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:8.3.19:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:8.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:8.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:8.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:8.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:8.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:8.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:8.3.8:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:8.3.9:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:8.4:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:8.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:8.4.10:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:8.4.11:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:8.4.12:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:8.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:8.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:8.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:8.4.5:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:8.4.6:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:8.4.7:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:8.4.8:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:8.4.9:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.1:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:9.1.4:*:*:*:*:*:*:*
- (no CPE)range: <8.3.20 || <8.4.13 || <9.0.9 || <9.1.5
- osv-coords3 versionspkg:rpm/opensuse/postgresql93&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/postgresql94&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/postgresql95&distro=openSUSE%20Tumbleweed
< 9.3.15-1.1+ 2 more
- (no CPE)range: < 9.3.15-1.1
- (no CPE)range: < 9.4.10-1.1
- (no CPE)range: < 9.5.4-1.2
Patches
Vulnerability mechanics
References
24- www.postgresql.org/about/news/1407/nvdVendor Advisory
- www.postgresql.org/support/security/nvdVendor Advisory
- kb.juniper.net/InfoCenter/indexnvd
- lists.apple.com/archives/security-announce/2013/Mar/msg00002.htmlnvd
- lists.opensuse.org/opensuse-updates/2012-09/msg00102.htmlnvd
- lists.opensuse.org/opensuse-updates/2012-10/msg00013.htmlnvd
- lists.opensuse.org/opensuse-updates/2012-10/msg00024.htmlnvd
- rhn.redhat.com/errata/RHSA-2012-1263.htmlnvd
- rhn.redhat.com/errata/RHSA-2012-1264.htmlnvd
- secunia.com/advisories/50635nvd
- secunia.com/advisories/50636nvd
- secunia.com/advisories/50718nvd
- secunia.com/advisories/50859nvd
- secunia.com/advisories/50946nvd
- www.debian.org/security/2012/dsa-2534nvd
- www.mandriva.com/security/advisoriesnvd
- www.postgresql.org/docs/8.3/static/release-8-3-20.htmlnvd
- www.postgresql.org/docs/8.4/static/release-8-4-13.htmlnvd
- www.postgresql.org/docs/9.0/static/release-9-0-9.htmlnvd
- www.postgresql.org/docs/9.1/static/release-9-1-5.htmlnvd
- www.securityfocus.com/bid/55072nvd
- www.ubuntu.com/usn/USN-1542-1nvd
- blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_postgresql2nvd
- bugzilla.redhat.com/show_bug.cginvd
News mentions
0No linked articles in our index yet.