PostgreSQL < 9.3.3 / 9.2.7 / 9.1.12 / 9.0.16 / 8.4.20 Multiple Vulnerabilities

Medium

Synopsis

The database running on the remote server is affected by multiple vulnerabilities.

Description

The version of PostgreSQL detected is earlier than 9.3.3 / 9.2.7 / 9.1.12 / 9.0.16 / 8.4.20 and is thus affected by the following vulnerabilities:

- A remote denial of service vulnerability due to a null pointer dereference error in the crypt() function of libc. (CVE-2014-0066)

- A remote stack-based buffer overflow due to improper handling of datetime input and output, which an attacker can leverage to execute arbitrary code in the context of the affected application. (CVE-2014-0063)

- A security bypass vulnerability that occurs when granting a SQL role without ADMIN OPTION, which an attacker could exploit to revoke access from other role members. (CVE-2014-0060)

- A security bypass vulnerability that occurs due to multiple errors when handling calls to PL validator functions, which can be exploited to gain access to restricted functionality. (CVE-2014-0061)

- Multiple remote buffer-overflow vulnerabilities, and a remote stack overflow, due to inadequate bounds-checking of user-supplied data within multiple functions, which an attacker could leverage to execute arbitrary code in the context of the affected application. (CVE-2014-0064, CVE-2014-0065)

- A security-bypass vulnerability due to errors when handling name lookups, which an attacker could exploit to cause permissions checks to be performed against a different table and thereafter perform unauthorized operations. (CVE-2014-0062)

Solution

Upgrade to PostgreSQL 9.3.3 / 9.2.7 / 9.1.12 / 9.0.16 / 8.4.20, or later.