CVE-2007-3279

critical

Description

PostgreSQL 8.1 and probably later versions, when the PL/pgSQL (plpgsql) language has been created, grants certain plpgsql privileges to the PUBLIC domain, which allows remote attackers to create and execute functions, as demonstrated by functions that perform local brute-force password guessing attacks, which may evade intrusion detection.

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/35144

http://www.securityfocus.com/archive/1/471541/100/0/threaded

http://www.portcullis.co.uk/uplds/whitepapers/Having_Fun_With_PostgreSQL.pdf

http://www.mandriva.com/security/advisories?name=MDKSA-2007:188

http://www.leidecker.info/pgshell/Having_Fun_With_PostgreSQL.txt

http://osvdb.org/40900

Details

Source: Mitre, NVD

Published: 2007-06-19

Updated: 2018-10-16

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical