{
  "threat_severity" : "Important",
  "public_date" : "2020-06-04T00:00:00Z",
  "bugzilla" : {
    "description" : "postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML",
    "id" : "1852985",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1852985"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.7",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-611",
  "details" : [ "PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE.", "A flaw was found in PostgreSQL JDBC in versions prior to 42.2.13. An XML External Entity (XXE) weakness was found in PostgreSQL JDBC. The highest threat from this vulnerability is to data confidentiality and system availability." ],
  "affected_release" : [ {
    "product_name" : "Red Hat AMQ Online 1.5.2 GA",
    "release_date" : "2020-07-29T00:00:00Z",
    "advisory" : "RHSA-2020:3209",
    "cpe" : "cpe:/a:redhat:amq_online:1.5",
    "package" : "jdbc-postgresql",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat build of Quarkus 1.3.4 SP1",
    "release_date" : "2020-07-30T00:00:00Z",
    "advisory" : "RHSA-2020:3248",
    "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0",
    "package" : "quarkus-jdbc-postgresql",
    "impact" : "important"
  }, {
    "product_name" : "Red Hat build of Quarkus 1.3.4 SP1",
    "release_date" : "2020-07-30T00:00:00Z",
    "advisory" : "RHSA-2020:3248",
    "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0",
    "package" : "quarkus-jdbc-postgresql-deployment",
    "impact" : "important"
  }, {
    "product_name" : "Red Hat Decision Manager 7",
    "release_date" : "2020-09-08T00:00:00Z",
    "advisory" : "RHSA-2020:3675",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7.8",
    "package" : "jdbc-postgresql"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "release_date" : "2020-08-03T00:00:00Z",
    "advisory" : "RHSA-2020:3284",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6",
    "package" : "postgresql-jdbc-0:8.4.704-4.el6_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2020-08-03T00:00:00Z",
    "advisory" : "RHSA-2020:3285",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "postgresql-jdbc-0:9.2.1002-8.el7_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2020-07-28T00:00:00Z",
    "advisory" : "RHSA-2020:3176",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "postgresql-jdbc-0:42.2.3-3.el8_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions",
    "release_date" : "2020-08-03T00:00:00Z",
    "advisory" : "RHSA-2020:3283",
    "cpe" : "cpe:/a:redhat:rhel_e4s:8.0",
    "package" : "postgresql-jdbc-0:42.2.3-3.el8_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.1 Extended Update Support",
    "release_date" : "2020-08-03T00:00:00Z",
    "advisory" : "RHSA-2020:3286",
    "cpe" : "cpe:/a:redhat:rhel_eus:8.1",
    "package" : "postgresql-jdbc-0:42.2.3-3.el8_1"
  }, {
    "product_name" : "Red Hat Fuse 7.8.0",
    "release_date" : "2020-12-16T00:00:00Z",
    "advisory" : "RHSA-2020:5568",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7",
    "package" : "jdbc-postgresql"
  }, {
    "product_name" : "Red Hat Integration - Camel K - Tech-Preview 2",
    "release_date" : "2021-01-13T00:00:00Z",
    "advisory" : "RHSA-2021:0110",
    "cpe" : "cpe:/a:redhat:integration:1",
    "package" : "jdbc-postgresql"
  }, {
    "product_name" : "Red Hat Integration Debezium 1.1.3",
    "release_date" : "2020-07-20T00:00:00Z",
    "advisory" : "RHSA-2020:3005",
    "cpe" : "cpe:/a:redhat:integration:1",
    "package" : "jdbc-postgresql"
  }, {
    "product_name" : "Red Hat Process Automation 7",
    "release_date" : "2020-09-08T00:00:00Z",
    "advisory" : "RHSA-2020:3678",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7.8",
    "package" : "jdbc-postgresql"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Not affected",
    "package_name" : "quarkus-jdbc-postgresql",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Not affected",
    "package_name" : "quarkus-jdbc-postgresql-deployment",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat Integration Camel K 1",
    "fix_state" : "Affected",
    "package_name" : "jdbc-postgresql",
    "cpe" : "cpe:/a:redhat:integration:1"
  }, {
    "product_name" : "Red Hat Integration Camel K 1",
    "fix_state" : "Not affected",
    "package_name" : "quarkus-jdbc-postgresql",
    "cpe" : "cpe:/a:redhat:integration:1"
  }, {
    "product_name" : "Red Hat Integration Camel K 1",
    "fix_state" : "Not affected",
    "package_name" : "quarkus-jdbc-postgresql-deployment",
    "cpe" : "cpe:/a:redhat:integration:1"
  }, {
    "product_name" : "Red Hat JBoss Fuse 6",
    "fix_state" : "Not affected",
    "package_name" : "jdbc-postgresql",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-13692\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-13692" ],
  "name" : "CVE-2020-13692",
  "csaw" : false
}