CVE-2020-13692: XEE

Published Jun 4, 2020
·
Updated

A flaw was found in PostgreSQL JDBC in versions prior to 42.2.13. An XML External Entity (XXE) weakness was found in PostgreSQL JDBC. The highest threat from this vulnerability is to data confidentiality and system availability.

Other sources

PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE.

PostgreSQL JDBC Driver could allow a remote authenticated attacker to obtain sensitive information, caused by an XML external entity (XXE) error when processing XML data. By sending specially crafted XML data, a remote attacker could exploit this vulnerability to obtain sensitive information.

IBM

Affected Software

16 affected componentsFixes available
redhat/postgresql-jdbc<0:8.4.704-4.el6_10
0:8.4.704-4.el6_10
redhat/postgresql-jdbc<0:9.2.1002-8.el7_8
0:9.2.1002-8.el7_8
redhat/postgresql-jdbc<0:42.2.3-3.el8_2
0:42.2.3-3.el8_2
redhat/postgresql-jdbc<0:42.2.3-3.el8_0
0:42.2.3-3.el8_0
redhat/postgresql-jdbc<0:42.2.3-3.el8_1
0:42.2.3-3.el8_1
debian/libpgjava
42.2.5-2+deb10u142.2.5-2+deb10u342.2.15-1+deb11u142.5.4-142.6.0-2
redhat/postgresql-jdbc<42.2.13
42.2.13
maven/org.postgresql:postgresql>=9.4.1212.jre6<42.2.13
42.2.13
IBM ISAM<=9.0.7
IBM Security Verify Access<=10.0.0
PostgreSQL PostgreSQL JDBC driver<42.2.13
Quarkus Quarkus<=1.5.2
NetApp Steelstore Cloud Integrated Storage
Fedoraproject Fedora=32
Debian Debian Linux=10.0
Debian Debian Linux=11.0

Remediation

Patch Available

https://github.com/pgjdbc/pgjdbc/commit/14b62aca4764d496813f55a43d050b017e01eb65

Event History

Jun 4, 2020
CVE Published
12:00 AM
CVE Published
via MITRE·03:07 PM
Data Sourced
via MITRE·03:07 PM
Description
Jun 14, 2020
Data Sourced
07:33 PM
SeverityAffected Software
Jul 1, 2020
Data Sourced
via Red Hat·05:07 PM
DescriptionSeverityAffected Software
Feb 10, 2022
Advisory Published
via GitHub·12:30 AM

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2020-13692?

CVE-2020-13692 is a vulnerability in the PostgreSQL JDBC Driver.

2

How does CVE-2020-13692 affect PostgreSQL JDBC Driver?

CVE-2020-13692 allows a remote attacker to obtain sensitive information by exploiting an XML external entity (XXE) error in the driver.

3

What is the severity of CVE-2020-13692?

CVE-2020-13692 has a severity value of 7.7, which is classified as high severity.

4

Which versions of PostgreSQL JDBC Driver are affected by CVE-2020-13692?

PostgreSQL JDBC Driver versions before 42.2.13 are affected by CVE-2020-13692.

5

How can I fix CVE-2020-13692?

To fix CVE-2020-13692, you should update your PostgreSQL JDBC Driver to version 42.2.13 or higher.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203