Информационная безопасность
[RU] switch to English


Повышение привилегий в PostgreSQL
Опубликовано:27 августа 2012 г.
Источник:
SecurityVulns ID:12540
Тип:локальная
Уровень опасности:
5/10
Описание:Различные повышения привилегий через расширение XML2.
Затронутые продукты:POSTGRES : PostgreSQL 8.4
 POSTGRES : PostgreSQL 9.1
CVE:CVE-2012-3489 (The xml_parse function in the libxml2 support in the core server component in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 allows remote authenticated users to determine the existence of arbitrary files or URLs, and possibly obtain file or URL content that triggers a parsing error, via an XML value that refers to (1) a DTD or (2) an entity, related to an XML External Entity (aka XXE) issue.)
 CVE-2012-3488 (The libxslt support in contrib/xml2 in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 does not properly restrict access to files and URLs, which allows remote authenticated users to modify data, obtain sensitive information, or trigger outbound traffic to arbitrary external hosts by leveraging (1) stylesheet commands that are permitted by the libxslt security options or (2) an xslt_process feature, related to an XML External Entity (aka XXE) issue.)
Оригинальный текстdocumentUBUNTU, [USN-1542-1] PostgreSQL vulnerabilities (27.08.2012)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород