Medium severity6.5NVD Advisory· Published Oct 3, 2012· Updated Apr 29, 2026
CVE-2012-3489
CVE-2012-3489
Description
The xml_parse function in the libxml2 support in the core server component in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 allows remote authenticated users to determine the existence of arbitrary files or URLs, and possibly obtain file or URL content that triggers a parsing error, via an XML value that refers to (1) a DTD or (2) an entity, related to an XML External Entity (aka XXE) issue.
Affected products
19cpe:2.3:o:apple:mac_os_x_server:*:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:apple:mac_os_x_server:*:*:*:*:*:*:*:*range: >=10.7.0,<=10.7.5
- cpe:2.3:o:apple:mac_os_x_server:10.6.8:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:-:*:*:*+ 4 more
- cpe:2.3:o:canonical:ubuntu_linux:10.04:*:*:*:-:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:11.04:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:11.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:-:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:-:*:*:*
- cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:6.3:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:5.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:redhat:enterprise_linux_server:5.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:*:*:*:*:*:*:*+ 1 more
- cpe:2.3:o:redhat:enterprise_linux_workstation:5.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
21- bugzilla.redhat.com/show_bug.cginvdIssue TrackingPatchRelease Notes
- rhn.redhat.com/errata/RHSA-2012-1263.htmlnvdThird Party Advisory
- www.postgresql.org/about/news/1407/nvdVendor Advisory
- www.postgresql.org/support/security/nvdRelease NotesVendor Advisory
- www.securityfocus.com/bid/55074nvdBroken LinkThird Party AdvisoryVDB Entry
- www.ubuntu.com/usn/USN-1542-1nvdThird Party Advisory
- blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_postgresql2nvdThird Party Advisory
- lists.apple.com/archives/security-announce/2013/Mar/msg00002.htmlnvdMailing List
- lists.opensuse.org/opensuse-updates/2012-09/msg00102.htmlnvdMailing List
- lists.opensuse.org/opensuse-updates/2012-10/msg00013.htmlnvdMailing List
- lists.opensuse.org/opensuse-updates/2012-10/msg00024.htmlnvdMailing List
- secunia.com/advisories/50635nvdBroken Link
- secunia.com/advisories/50718nvdBroken Link
- secunia.com/advisories/50859nvdBroken Link
- secunia.com/advisories/50946nvdBroken Link
- www.debian.org/security/2012/dsa-2534nvdMailing List
- www.mandriva.com/security/advisoriesnvdBroken Link
- www.postgresql.org/docs/8.3/static/release-8-3-20.htmlnvdRelease Notes
- www.postgresql.org/docs/8.4/static/release-8-4-13.htmlnvdRelease Notes
- www.postgresql.org/docs/9.0/static/release-9-0-9.htmlnvdRelease Notes
- www.postgresql.org/docs/9.1/static/release-9-1-5.htmlnvdRelease Notes
News mentions
0No linked articles in our index yet.