CVE-2009-3230

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

The core server component in PostgreSQL 8.4 before 8.4.1, 8.3 before 8.3.8, 8.2 before 8.2.14, 8.1 before 8.1.18, 8.0 before 8.0.22, and 7.4 before 7.4.26 does not use the appropriate privileges for the (1) RESET ROLE and (2) RESET SESSION AUTHORIZATION operations, which allows remote authenticated users to gain privileges. NOTE: this is due to an incomplete fix for CVE-2007-6600.

References

http://archives.postgresql.org/pgsql-www/2009-09/msg00024.php

http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html

http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html

http://marc.info/?l=bugtraq&m=134124585221119&w=2

http://secunia.com/advisories/36660

http://secunia.com/advisories/36695

http://secunia.com/advisories/36727

http://secunia.com/advisories/36800

http://secunia.com/advisories/36837

http://sunsolve.sun.com/search/document.do?assetkey=1-66-270408-1

http://wiki.rpath.com/wiki/Advisories:rPSA-2010-0012

http://www.postgresql.org/docs/8.3/static/release-8-3-8.html

http://www.postgresql.org/support/security.html

http://www.securityfocus.com/archive/1/509917/100/0/threaded

http://www.securityfocus.com/bid/36314

http://www.ubuntu.com/usn/usn-834-1

http://www.us.debian.org/security/2009/dsa-1900

http://www.vupen.com/english/advisories/2009/2602

https://bugzilla.redhat.com/show_bug.cgi?id=522085

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10166

https://www.redhat.com/archives/fedora-package-announce/2009-September/msg00305.html

https://www.redhat.com/archives/fedora-package-announce/2009-September/msg00307.html

Details

Source: MITRE

Published: 2009-09-17

Updated: 2018-10-10

Type: CWE-264

Risk Information

CVSS v2

Base Score: 6.5

Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 8

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:postgresql:postgresql:7.4:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.1:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.2:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.3:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.4:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.5:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.6:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.7:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.8:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.9:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.10:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.11:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.12:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.13:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.14:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.15:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.16:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.17:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.18:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.19:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.20:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.21:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.22:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.23:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.24:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.25:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.1:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.2:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.3:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.4:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.5:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.6:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.7:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.8:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.9:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.10:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.11:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.12:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.13:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.14:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.15:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.16:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.17:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.18:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.19:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.20:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.21:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.1:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.2:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.3:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.4:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.5:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.6:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.7:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.8:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.9:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.10:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.11:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.12:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.13:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.14:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.15:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.16:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.2:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.2.1:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.2.2:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.2.3:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.2.4:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.2.5:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.2.6:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.2.7:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.2.8:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.2.9:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.2.10:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.2.11:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.2.12:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.2.13:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.1:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.2:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.3:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.4:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.5:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.6:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.7:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.4:*:*:*:*:*:*:*

Tenable Plugins

View all (34 total)

IDNameProductFamilySeverity
108005Solaris 10 (x86) : 138827-12NessusSolaris Local Security Checks
medium
107978Solaris 10 (x86) : 136999-10NessusSolaris Local Security Checks
medium
107893Solaris 10 (x86) : 123591-12NessusSolaris Local Security Checks
medium
107507Solaris 10 (sparc) : 138826-12NessusSolaris Local Security Checks
medium
107480Solaris 10 (sparc) : 136998-10NessusSolaris Local Security Checks
medium
107391Solaris 10 (sparc) : 123590-12NessusSolaris Local Security Checks
medium
67937Oracle Linux 3 : postgresql (ELSA-2009-1485)NessusOracle Linux Local Security Checks
medium
67936Oracle Linux 4 / 5 : postgresql (ELSA-2009-1484)NessusOracle Linux Local Security Checks
medium
60675Scientific Linux Security Update : postgresql on SL3.x, SL4.x, SL5.x i386/x86_64NessusScientific Linux Local Security Checks
medium
56626GLSA-201110-22 : PostgreSQL: Multiple vulnerabilitiesNessusGentoo Local Security Checks
high
49919SuSE 10 Security Update : PostgreSQL (ZYPP Patch Number 6535)NessusSuSE Local Security Checks
medium
44765Debian DSA-1900-1 : postgresql-7.4, postgresql-8.1, postgresql-8.3, postgresql-8.4 - several vulnerabilitiesNessusDebian Local Security Checks
medium
43800CentOS 4 / 5 : postgresql (CESA-2009:1484)NessusCentOS Local Security Checks
medium
42065RHEL 3 : postgresql (RHSA-2009:1485)NessusRed Hat Local Security Checks
medium
42064RHEL 4 / 5 : postgresql (RHSA-2009:1484)NessusRed Hat Local Security Checks
medium
42059CentOS 3 : postgresql (CESA-2009:1485)NessusCentOS Local Security Checks
medium
42031openSUSE 10 Security Update : postgresql (postgresql-6502)NessusSuSE Local Security Checks
medium
41959Mandriva Linux Security Advisory : postgresql8.2 (MDVSA-2009:251-1)NessusMandriva Local Security Checks
medium
41949MDVSA-2009:177 : postgresqlNessusMandriva Local Security Checks
medium
41939openSUSE Security Update : postgresql (postgresql-1322)NessusSuSE Local Security Checks
medium
41938openSUSE Security Update : postgresql (postgresql-1322)NessusSuSE Local Security Checks
medium
41643SuSE 10 Security Update : PostgreSQL (ZYPP Patch Number 6500)NessusSuSE Local Security Checks
medium
41642SuSE 11 Security Update : PostgreSQL (SAT Patch Number 1319)NessusSuSE Local Security Checks
medium
41641SuSE9 Security Update : PostgreSQL (YOU Patch Number 12509)NessusSuSE Local Security Checks
medium
41045Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 : postgresql-8.1, postgresql-8.3 vulnerabilities (USN-834-1)NessusUbuntu Local Security Checks
medium
5170PostgreSQL Multiple VulnerabilitiesNessus Network MonitorDatabase
medium
40954Fedora 10 : postgresql-8.3.8-1.fc10 (2009-9474)NessusFedora Local Security Checks
medium
40953Fedora 11 : postgresql-8.3.8-1.fc11 (2009-9473)NessusFedora Local Security Checks
medium
39558Solaris 10 (x86) : 138827-12 (deprecated)NessusSolaris Local Security Checks
medium
39555Solaris 10 (sparc) : 138826-12 (deprecated)NessusSolaris Local Security Checks
medium
30175Solaris 10 (x86) : 136999-10 (deprecated)NessusSolaris Local Security Checks
medium
30169Solaris 10 (sparc) : 136998-10 (deprecated)NessusSolaris Local Security Checks
medium
24849Solaris 10 (x86) : 123591-12 (deprecated)NessusSolaris Local Security Checks
medium
24845Solaris 10 (sparc) : 123590-12 (deprecated)NessusSolaris Local Security Checks
medium