PostgreSQL < 9.3.3 / 9.2.7 / 9.1.12 / 9.0.16 / 8.4.20 Multiple Vulnerabilities
PVS ID: 8133 FAMILY: Database RISK: MEDIUM NESSUS ID:72611
Description: Synopsis :\n\nThe database running on the remote server is affected by multiple vulnerabilities.\n\nThe version of PostgreSQL detected is earlier than 9.3.3 / 9.2.7 / 9.1.12 / 9.0.16 / 8.4.20 and is thus affected by the following vulnerabilities:\n\n - A remote denial of service vulnerability due to a null pointer dereference error in the crypt() function of libc. (CVE-2014-0066)\n\n - A remote stack-based buffer overflow due to improper handling of datetime input and output, which an attacker can leverage to execute arbitrary code in the context of the affected application. (CVE-2014-0063)\n\n - A security bypass vulnerability that occurs when granting a SQL role without ADMIN OPTION, which an attacker could exploit to revoke access from other role members. (CVE-2014-0060)\n\n - A security bypass vulnerability that occurs due to multiple errors when handling calls to PL validator functions, which can be exploited to gain access to restricted functionality. (CVE-2014-0061)\n\n - Multiple remote buffer-overflow vulnerabilities, and a remote stack overflow, due to inadequate bounds-checking of user-supplied data within multiple functions, which an attacker could leverage to execute arbitrary code in the context of the affected application. (CVE-2014-0064, CVE-2014-0065)\n\n - A security-bypass vulnerability due to errors when handling name lookups, which an attacker could exploit to cause permissions checks to be performed against a different table and thereafter perform unauthorized operations. (CVE-2014-0062)\n\nVersion of PostgreSQL installed on the remote host is:\n %L

Solution: Upgrade to PostgreSQL 9.3.3 / 9.2.7 / 9.1.12 / 9.0.16 / 8.4.20, or later.

CVE-2014-0066


Copyright Tenable Network Security Inc. 2014