Input validation error in postgresql (Alpine package)
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2012-3489 |
| CWE-ID | CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
postgresql (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Input validation error
EUVDB-ID: #VU32770
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2012-3489
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote #AU# to gain access to sensitive information.
The xml_parse function in the libxml2 support in the core server component in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 allows remote authenticated users to determine the existence of arbitrary files or URLs, and possibly obtain file or URL content that triggers a parsing error, via an XML value that refers to (1) a DTD or (2) an entity, related to an XML External Entity (aka XXE) issue.
MitigationInstall update from vendor's website.
Vulnerable software versionspostgresql (Alpine package): 9.0.8-r0
CPE2.3 External linkshttps://git.alpinelinux.org/aports/commit/?id=f74a7e2ad3e172936c54f9a7a45c5a52e2a67fe2
https://git.alpinelinux.org/aports/commit/?id=f78420a1d1a6053c04ab7635ae72ec2537810a55
https://git.alpinelinux.org/aports/commit/?id=1c5310eff360085f33d17aad26ce9569a42419e7
https://git.alpinelinux.org/aports/commit/?id=cd8669403fa9d39f9b385aaee42d8da3d1db20ff
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
