CVE-2010-1169

HIGH

Description

PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, 8.4 before 8.4.4, and 9.0 Beta before 9.0 Beta 2 does not properly restrict PL/perl procedures, which allows remote authenticated users, with database-creation privileges, to execute arbitrary Perl code via a crafted script, related to the Safe module (aka Safe.pm) for Perl. NOTE: some sources report that this issue is the same as CVE-2010-1447.

References

http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041559.html

http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041579.html

http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041591.html

http://lists.opensuse.org/opensuse-security-announce/2010-08/msg00001.html

http://marc.info/?l=bugtraq&m=134124585221119&w=2

http://osvdb.org/64755

http://secunia.com/advisories/39815

http://secunia.com/advisories/39820

http://secunia.com/advisories/39845

http://secunia.com/advisories/39898

http://secunia.com/advisories/39939

http://www.debian.org/security/2010/dsa-2051

http://www.mandriva.com/security/advisories?name=MDVSA-2010:103

http://www.openwall.com/lists/oss-security/2010/05/20/5

http://www.postgresql.org/about/news.1203

http://www.postgresql.org/docs/current/static/release-7-4-29.html

http://www.postgresql.org/docs/current/static/release-8-0-25.html

http://www.postgresql.org/docs/current/static/release-8-1-21.html

http://www.postgresql.org/docs/current/static/release-8-2-17.html

http://www.postgresql.org/docs/current/static/release-8-3-11.html

http://www.postgresql.org/docs/current/static/release-8-4-4.html

http://www.postgresql.org/support/security

http://www.redhat.com/support/errata/RHSA-2010-0427.html

http://www.redhat.com/support/errata/RHSA-2010-0428.html

http://www.redhat.com/support/errata/RHSA-2010-0429.html

http://www.redhat.com/support/errata/RHSA-2010-0430.html

http://www.securityfocus.com/bid/40215

http://www.securitytracker.com/id?1023988

http://www.vupen.com/english/advisories/2010/1167

http://www.vupen.com/english/advisories/2010/1182

http://www.vupen.com/english/advisories/2010/1197

http://www.vupen.com/english/advisories/2010/1198

http://www.vupen.com/english/advisories/2010/1207

http://www.vupen.com/english/advisories/2010/1221

https://bugzilla.redhat.com/show_bug.cgi?id=582615

https://bugzilla.redhat.com/show_bug.cgi?id=588269

https://exchange.xforce.ibmcloud.com/vulnerabilities/58693

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10645

Details

Source: MITRE

Published: 2010-05-19

Updated: 2017-09-19

Type: CWE-94

Risk Information

CVSS v2.0

Base Score: 8.5

Vector: AV:N/AC:M/Au:S/C:C/I:C/A:C

Impact Score: 10

Exploitability Score: 6.8

Severity: HIGH

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:postgresql:postgresql:7.4:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.1:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.2:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.3:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.4:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.5:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.6:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.7:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.8:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.9:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.10:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.11:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.12:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.13:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.14:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.15:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.16:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.17:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.18:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.19:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.20:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.21:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.22:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.23:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.24:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.25:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.26:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.27:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.28:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:a:postgresql:postgresql:8.0:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.0:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.1:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.2:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.3:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.4:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.5:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.6:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.7:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.8:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.9:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.10:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.11:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.12:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.13:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.14:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.15:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.16:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.17:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.18:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.19:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.20:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.21:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.22:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.23:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.24:*:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:a:postgresql:postgresql:8.1:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.0:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.1:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.2:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.3:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.4:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.5:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.6:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.7:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.8:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.9:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.10:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.11:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.12:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.13:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.14:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.15:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.16:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.17:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.18:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.19:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.20:*:*:*:*:*:*:*

Configuration 4

OR

cpe:2.3:a:postgresql:postgresql:8.2:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.2.1:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.2.2:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.2.3:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.2.4:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.2.5:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.2.6:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.2.7:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.2.8:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.2.9:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.2.10:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.2.11:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.2.12:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.2.13:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.2.14:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.2.15:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.2.16:*:*:*:*:*:*:*

Configuration 5

OR

cpe:2.3:a:postgresql:postgresql:8.3:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.1:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.2:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.3:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.4:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.5:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.6:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.7:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.8:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.9:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.10:*:*:*:*:*:*:*

Configuration 6

OR

cpe:2.3:a:postgresql:postgresql:8.4:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.4.1:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.4.2:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.4.3:*:*:*:*:*:*:*

Configuration 7

OR

cpe:2.3:a:postgresql:postgresql:9.0.0:beta1:*:*:*:*:*:*

Tenable Plugins

View all (31 total)

IDNameProductFamilySeverity
69872Juniper NSM Servers < 2012.1 Multiple VulnerabilitiesNessusMisc.
high
68045Oracle Linux 5 : postgresql84 (ELSA-2010-0430)NessusOracle Linux Local Security Checks
high
68044Oracle Linux 5 : postgresql (ELSA-2010-0429)NessusOracle Linux Local Security Checks
high
68043Oracle Linux 4 : postgresql (ELSA-2010-0428)NessusOracle Linux Local Security Checks
high
68042Oracle Linux 3 : postgresql (ELSA-2010-0427)NessusOracle Linux Local Security Checks
high
63349PostgreSQL 7.4 < 7.4.29 / 8.0 < 8.0.25 / 8.1 < 8.1.21 / 8.2 < 8.2.17 / 8.3 < 8.3.11 / 8.4 < 8.4.4 Multiple VulnerabilitiesNessusDatabases
high
60795Scientific Linux Security Update : postgresql on SL3.x, SL4.x, SL5.x i386/x86_64NessusScientific Linux Local Security Checks
high
60794Scientific Linux Security Update : postgresql84 on SL5.x i386/x86_64NessusScientific Linux Local Security Checks
high
56626GLSA-201110-22 : PostgreSQL: Multiple vulnerabilitiesNessusGentoo Local Security Checks
high
50958SuSE 11 / 11.1 Security Update : postgresql (SAT Patch Numbers 2457 / 2458)NessusSuSE Local Security Checks
high
50390Fedora 14 : sepostgresql-9.0.1-20101007.fc14 (2010-15870)NessusFedora Local Security Checks
high
50355Fedora 13 : sepostgresql-9.0.1-20101007.fc13 (2010-16004)NessusFedora Local Security Checks
high
49921SuSE 10 Security Update : postgresql (ZYPP Patch Number 7053)NessusSuSE Local Security Checks
high
47733openSUSE Security Update : postgresql (openSUSE-SU-2010:0371-1)NessusSuSE Local Security Checks
high
47730openSUSE Security Update : postgresql (openSUSE-SU-2010:0371-1)NessusSuSE Local Security Checks
high
47727openSUSE Security Update : postgresql (openSUSE-SU-2010:0371-1)NessusSuSE Local Security Checks
high
47508Fedora 11 : postgresql-8.3.11-1.fc11 (2010-8723)NessusFedora Local Security Checks
high
47507Fedora 12 : postgresql-8.4.4-1.fc12 (2010-8715)NessusFedora Local Security Checks
high
47506Fedora 13 : postgresql-8.4.4-1.fc13 (2010-8696)NessusFedora Local Security Checks
high
46762CentOS 5 : postgresql84 (CESA-2010:0430)NessusCentOS Local Security Checks
high
46761CentOS 5 : postgresql (CESA-2010:0429)NessusCentOS Local Security Checks
high
46710Debian DSA-2051-1 : postgresql-8.3 - several vulnerabilitiesNessusDebian Local Security Checks
high
46700Ubuntu 6.06 LTS / 8.04 LTS / 9.04 / 9.10 / 10.04 LTS : postgresql-8.1, postgresql-8.3, postgresql-8.4 vulnerabilities (USN-942-1)NessusUbuntu Local Security Checks
high
46696CentOS 4 : postgresql (CESA-2010:0428)NessusCentOS Local Security Checks
high
46695CentOS 3 : postgresql (CESA-2010:0427)NessusCentOS Local Security Checks
high
46690Mandriva Linux Security Advisory : postgresql (MDVSA-2010:103)NessusMandriva Local Security Checks
high
46684RHEL 5 : postgresql84 (RHSA-2010:0430)NessusRed Hat Local Security Checks
high
46683RHEL 5 : postgresql (RHSA-2010:0429)NessusRed Hat Local Security Checks
high
46682RHEL 4 : postgresql (RHSA-2010:0428)NessusRed Hat Local Security Checks
high
46681RHEL 3 : postgresql (RHSA-2010:0427)NessusRed Hat Local Security Checks
high
5546PostgreSQL < 8.4.4/8.3.11/8.2.17/8.1.21/8.0.25/7.4.29 Multiple VulnerabilitiesNessus Network MonitorDatabase
medium