{"id":"CVE-2020-13692","details":"PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE.","aliases":["BIT-postgresql-jdbc-driver-2020-13692","GHSA-88cc-g835-76rp"],"modified":"2026-04-16T04:32:29.299755104Z","published":"2020-06-04T16:15:12.657Z","related":["ALSA-2020:3176","CGA-m783-6996-vjcc","SUSE-SU-2020:3466-1","SUSE-SU-2020:3781-1","SUSE-SU-2021:0599-1"],"references":[{"type":"WEB","url":"https://lists.apache.org/thread.html/r7f6d019839df17646ffd0046a99146cacf40492a6c92078f65fd32e0%40%3Ccommits.camel.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r00bcc6b2da972e0d6332a4ebc7807e17305d8b8e7fb2ae63d2a3cbfb%40%3Ccommits.camel.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r01ae1b3d981cf2e563e9b5b0a6ea54fb3cac8e9a0512ee5269e3420e%40%3Ccommits.camel.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r0478a1aa9ae0dbd79d8f7b38d0d93fa933ac232e2b430b6f31a103c0%40%3Ccommits.camel.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r1aae77706aab7d89b4fe19be468fc3c73e9cc84ff79cc2c3bd07c05a%40%3Ccommits.camel.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rb89f92aba44f524d5c270e0c44ca7aec4704691c37fe106cf73ec977%40%3Cnotifications.netbeans.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/rfe363bf3a46d440ad57fd05c0e313025c7218364bbdc5fd8622ea7ae%40%3Ccommits.camel.apache.org%3E"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DCCAPM6FSNOC272DLSNQ6YHXS3OMHGJC/"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r4bdea189c9991aae7a929d28f575ec46e49ed3d68fa5235825f38a4f%40%3Cnotifications.netbeans.apache.org%3E"},{"type":"WEB","url":"https://lists.apache.org/thread.html/r631f967db6260d6178740a3314a35d9421facd8212e62320275fa78e%40%3Ccommits.camel.apache.org%3E"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20200619-0005/"},{"type":"ADVISORY","url":"https://www.debian.org/security/2022/dsa-5196"},{"type":"ADVISORY","url":"https://jdbc.postgresql.org/documentation/changelog.html#version_42.2.13"},{"type":"FIX","url":"https://github.com/pgjdbc/pgjdbc/commit/14b62aca4764d496813f55a43d050b017e01eb65"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/pgjdbc/pgjdbc","events":[{"introduced":"0"},{"fixed":"e63584cfb2bbb904a971a0b19cb4857249e0b8e2"},{"fixed":"14b62aca4764d496813f55a43d050b017e01eb65"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"42.2.13"}]}},{"type":"GIT","repo":"https://github.com/quarkusio/quarkus","events":[{"introduced":"0"},{"last_affected":"1a16fc7479f91522d1c7a0c29e24e2ac10465196"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.5.2"}]}}],"versions":["1.5.2.Final","REL42.0.0","REL42.1.0","REL42.1.1","REL42.1.2","REL42.1.3","REL42.1.4","REL42.2.0","REL42.2.1","REL42.2.10","REL42.2.11","REL42.2.12","REL42.2.2","REL42.2.3","REL42.2.4","REL42.2.5","REL42.2.6","REL42.2.7","REL42.2.8","REL42.2.9","REL42.3.0-rc1","REL6_5","REL7_0","REL7_1","REL7_1_BETA","REL7_1_BETA2","REL7_1_BETA3","REL7_2","REL7_2_3","REL7_2_4","REL7_2_BETA1","REL7_2_BETA2","REL7_2_BETA3","REL7_2_BETA4","REL7_2_BETA5","REL7_2_RC1","REL7_2_RC2","REL7_4_BETA1","REL7_4_BETA2","REL7_4_BETA3","REL7_4_BETA4","REL7_4_BETA5","REL7_4_RC1","REL7_4_RC2","REL8_0_309","REL8_1_404","REL8_2_504","REL8_3_603","REL8_4_701","REL9.4.1207","REL9.4.1208","REL9.4.1209","REL9.4.1210","REL9.4.1211","REL9.4.1212","REL9_0_801","REL9_3_1100","REL9_4_1201","REL9_4_1203","REL9_4_1204","REL9_4_1205","REL9_4_1206","release-6-3"],"database_specific":{"vanir_signatures_modified":"2026-04-11T21:19:47Z","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"32"}]},{"events":[{"introduced":"0"},{"last_affected":"10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.0"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-13692.json","vanir_signatures":[{"digest":{"length":1074,"function_hash":"91168466433595010594273310158271129403"},"id":"CVE-2020-13692-233b9c39","signature_version":"v1","signature_type":"Function","source":"https://github.com/pgjdbc/pgjdbc/commit/14b62aca4764d496813f55a43d050b017e01eb65","deprecated":false,"target":{"function":"getSource","file":"pgjdbc/src/main/java/org/postgresql/jdbc/PgSQLXML.java"}},{"digest":{"threshold":0.9,"line_hashes":["101067329146451035494201693243315212849","134495762650234808616434975398782091788","210025805666943601052623158012313352571"]},"id":"CVE-2020-13692-271c9c41","signature_version":"v1","signature_type":"Line","source":"https://github.com/pgjdbc/pgjdbc/commit/14b62aca4764d496813f55a43d050b017e01eb65","deprecated":false,"target":{"file":"pgjdbc/src/main/java/org/postgresql/ds/common/BaseDataSource.java"}},{"digest":{"threshold":0.9,"line_hashes":["55026984487705996164376980564437213964","18396130103450323134615457881168146072","76912946818976542979924434334643835460","4737508437523521632253474876624928686","112411628875257068992445410591793534277","103680617069060373444046327278475204501","132136309881451248738137230168972365577","253832198385396442529900146169834616491","167290465159612428860793482761313628376","181366779180090089046023809113703411565","167482236805802335744954788966808679378","246849576797343731984123541116992330300","40165111795526528616280228665737267937","227555293508953992212123866373570736071","112000980830527187881853976368221934075","208256878476417320408997437026414182030","166727056821475751021492422294192361421","295144564236976642785991062425401967001","255204552228631070338205984857544868286","286056627723692922661756802689927082571","248841348269639933951174565334151718370","234693563279806094295810941979267100358","130976482248571160568040455994878627235","149579158592392802502322080222537423214","41329957247523189620440677413041153167","59764102473897195281281745079119228400","204938487768850394025712804981662577508","296939309492774231274554258259833461364"]},"id":"CVE-2020-13692-2836cc6c","signature_version":"v1","signature_type":"Line","source":"https://github.com/pgjdbc/pgjdbc/commit/14b62aca4764d496813f55a43d050b017e01eb65","deprecated":false,"target":{"file":"pgjdbc/src/test/java/org/postgresql/jdbc/PgSQLXMLTest.java"}},{"digest":{"length":3662,"function_hash":"259686142848252625344008896594340056620"},"id":"CVE-2020-13692-2ac5ae09","signature_version":"v1","signature_type":"Function","source":"https://github.com/pgjdbc/pgjdbc/commit/14b62aca4764d496813f55a43d050b017e01eb65","deprecated":false,"target":{"function":"PgConnection","file":"pgjdbc/src/main/java/org/postgresql/jdbc/PgConnection.java"}},{"digest":{"threshold":0.9,"line_hashes":["33766022656305527744152914897716236031","68213327411822197888519717011720676238","143831789490606968846293588755295576241","187840283112393369374382308356834548810","258282385795245385542260620890735878809","4406675877999921526359655433873745380","124286739154319815877043934518229159683","295524728167112078687039016687764860764","241661187268506588995131505348866236155","212744209351015577405523973373005824998","255168820741380243171211204157664515040","302543845847024765942748246783528307098"]},"id":"CVE-2020-13692-66abb5ee","signature_version":"v1","signature_type":"Line","source":"https://github.com/pgjdbc/pgjdbc/commit/14b62aca4764d496813f55a43d050b017e01eb65","deprecated":false,"target":{"file":"pgjdbc/src/main/java/org/postgresql/jdbc/PgConnection.java"}},{"digest":{"threshold":0.9,"line_hashes":["120069051308780947526472469096811116826","156892502506634343853690771629971496624","263036727747078395035351009942841937036","146382539975388209330800418121325380184","267013386454474198748567148297893493760","145915646063025370210827861229881781894","121629400955697391357775438883193002618","116619991482627259624080571542781217339","222409835281595780172288590992133610565","210040191417610574246233931248298200962","186747102438580956869236649217055149624","20974205446112082112865319280224567537","284611652566347483794426129769990436205","305730587603187461544614829662464492749","158682434204050818805845815022566206095","79191899621593532533436249530586203406","125370834313326116208340851629226823794","30186212636602150848587448288643157818","211860526166943230835017916133172963147","126983864628114207902170039322504203427","225047841610741006865687417325113099913","115780570543925241498317653264782563682","252678402519044559665368703656526820571","247794609571197718326198693170229080769","102559480401027562637532257408357370152","53041415668811756809709603735340584131","130860410183019239319661903978028876672","59494964315121551943563918799579033401","29112422483406493485408813087424766873","106804365306651492313548930973575582079","231211144925596345955252270086717397037","162709845835617272498288066625036701605","268580359404182809761239006023686448925","11941742108942646926261833673618733771","15517332172226296305233004174051765295","272395953641219851766987335898742164837","72629384957077003987382712121016953668","153476938366973071083602687920877725991","229553297026579130981143681686238639030","326800010238263560518410715674052953275","102151909713399897542330520066767292450","222310346547111351721370640129600828370","183840835685855063310498009802858574965","40535310066691273004751834503488548682","86635797155230003881195741516382043660","147566084724658537843690506463539792567","333440179749061811051433544726221540592","234572353945321258333557419581270505971","229438575656661693619413795735924577646","55163664288824895940547971718240376312","82004524271637906748371907513831268053"]},"id":"CVE-2020-13692-79959b5a","signature_version":"v1","signature_type":"Line","source":"https://github.com/pgjdbc/pgjdbc/commit/14b62aca4764d496813f55a43d050b017e01eb65","deprecated":false,"target":{"file":"pgjdbc/src/main/java/org/postgresql/jdbc/PgSQLXML.java"}},{"digest":{"threshold":0.9,"line_hashes":["214235269788698345246242156671520595328","177935312425458215286246517861074993446","273380012420314821780336821462621493540","276739420936070932896591407790284965842","332524045378267214155457823990469606007","313552066178323306745775322183499976818"]},"id":"CVE-2020-13692-8ec1100a","signature_version":"v1","signature_type":"Line","source":"https://github.com/pgjdbc/pgjdbc/commit/14b62aca4764d496813f55a43d050b017e01eb65","deprecated":false,"target":{"file":"pgjdbc/src/main/java/org/postgresql/core/BaseConnection.java"}},{"digest":{"length":1302,"function_hash":"318525118381693929322023161484656214399"},"id":"CVE-2020-13692-b64090ea","signature_version":"v1","signature_type":"Function","source":"https://github.com/pgjdbc/pgjdbc/commit/14b62aca4764d496813f55a43d050b017e01eb65","deprecated":false,"target":{"function":"setResult","file":"pgjdbc/src/main/java/org/postgresql/jdbc/PgSQLXML.java"}},{"digest":{"threshold":0.9,"line_hashes":["221439530714648196366222214917449062033","309597444005107234273311345803202753046","238707077553605134237435261442906760103"]},"id":"CVE-2020-13692-f10df6ab","signature_type":"Line","signature_version":"v1","source":"https://github.com/pgjdbc/pgjdbc/commit/14b62aca4764d496813f55a43d050b017e01eb65","deprecated":false,"target":{"file":"pgjdbc/src/main/java/org/postgresql/PGProperty.java"}},{"digest":{"length":1224,"function_hash":"111582918661843072749233034427746509323"},"id":"CVE-2020-13692-fd2f5b9f","signature_version":"v1","signature_type":"Function","source":"https://github.com/pgjdbc/pgjdbc/commit/14b62aca4764d496813f55a43d050b017e01eb65","deprecated":false,"target":{"function":"ensureInitialized","file":"pgjdbc/src/main/java/org/postgresql/jdbc/PgSQLXML.java"}}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:H"}]}