CVE-2010-3433

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

The PL/perl and PL/Tcl implementations in PostgreSQL 7.4 before 7.4.30, 8.0 before 8.0.26, 8.1 before 8.1.22, 8.2 before 8.2.18, 8.3 before 8.3.12, 8.4 before 8.4.5, and 9.0 before 9.0.1 do not properly protect script execution by a different SQL user identity within the same session, which allows remote authenticated users to gain privileges via crafted script code in a SECURITY DEFINER function, as demonstrated by (1) redefining standard functions or (2) redefining operators, a different vulnerability than CVE-2010-1168, CVE-2010-1169, CVE-2010-1170, and CVE-2010-1447.

References

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705

http://lists.fedoraproject.org/pipermail/package-announce/2010-October/049591.html

http://lists.fedoraproject.org/pipermail/package-announce/2010-October/049592.html

http://lists.opensuse.org/opensuse-security-announce/2010-10/msg00006.html

http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00001.html

http://marc.info/?l=bugtraq&m=134124585221119&w=2

http://secunia.com/advisories/42325

http://www.debian.org/security/2010/dsa-2120

http://www.mandriva.com/security/advisories?name=MDVSA-2010:197

http://www.postgresql.org/about/news.1244

http://www.postgresql.org/docs/9.0/static/release-9-0-1.html

http://www.redhat.com/support/errata/RHSA-2010-0742.html

http://www.redhat.com/support/errata/RHSA-2010-0908.html

http://www.securityfocus.com/bid/43747

http://www.ubuntu.com/usn/USN-1002-1

http://www.ubuntu.com/usn/USN-1002-2

http://www.vupen.com/english/advisories/2010/3051

https://bugzilla.redhat.com/show_bug.cgi?id=639371

https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7291

Details

Source: MITRE

Published: 2010-10-06

Updated: 2017-09-19

Type: CWE-264

Risk Information

CVSS v2

Base Score: 6

Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 6.8

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:postgresql:postgresql:7.4:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.1:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.2:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.3:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.4:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.5:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.6:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.7:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.8:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.9:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.10:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.11:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.12:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.13:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.14:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.15:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.16:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.17:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.18:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.19:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.20:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.21:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.22:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.23:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.24:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.25:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.26:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.27:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.28:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:7.4.29:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:a:postgresql:postgresql:8.0:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.1:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.2:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.3:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.4:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.5:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.6:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.7:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.8:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.9:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.10:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.11:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.12:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.13:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.14:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.15:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.16:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.17:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.18:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.19:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.20:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.21:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.22:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.23:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.24:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.0.25:*:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:a:postgresql:postgresql:8.1:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.1:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.2:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.3:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.4:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.5:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.6:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.7:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.8:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.9:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.10:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.11:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.12:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.13:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.14:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.15:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.16:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.17:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.18:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.19:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.20:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.1.21:*:*:*:*:*:*:*

Configuration 4

OR

cpe:2.3:a:postgresql:postgresql:8.2:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.2.1:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.2.2:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.2.3:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.2.4:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.2.5:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.2.6:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.2.7:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.2.8:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.2.9:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.2.10:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.2.11:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.2.12:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.2.13:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.2.14:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.2.15:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.2.16:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.2.17:*:*:*:*:*:*:*

Configuration 5

OR

cpe:2.3:a:postgresql:postgresql:8.3:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.1:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.2:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.3:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.4:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.5:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.6:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.7:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.8:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.9:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.10:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.11:*:*:*:*:*:*:*

Configuration 6

OR

cpe:2.3:a:postgresql:postgresql:8.4:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.4.1:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.4.2:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.4.3:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.4.4:*:*:*:*:*:*:*

Configuration 7

OR

cpe:2.3:a:postgresql:postgresql:9.0:*:*:*:*:*:*:*

Tenable Plugins

View all (22 total)

IDNameProductFamilySeverity
75712openSUSE Security Update : postgresql (openSUSE-SU-2010:0903-1)NessusSuSE Local Security Checks
medium
69872Juniper NSM Servers < 2012.1 Multiple VulnerabilitiesNessusMisc.
high
68109Oracle Linux 4 / 5 : postgresql / postgresql84 (ELSA-2010-0742)NessusOracle Linux Local Security Checks
medium
63350PostgreSQL 7.4 < 7.4.30 / 8.0 < 8.0.26 / 8.1 < 8.1.22 / 8.2 < 8.2.18 / 8.3 < 8.3.12 / 8.4 < 8.4.5 / 9.0 < 9.0.1NessusDatabases
medium
60906Scientific Linux Security Update : postgresql on SL6.x i386/x86_64NessusScientific Linux Local Security Checks
medium
60862Scientific Linux Security Update : postgresql and postgresql84 on SL4.x, SL5.x i386/x86_64NessusScientific Linux Local Security Checks
medium
56626GLSA-201110-22 : PostgreSQL: Multiple vulnerabilitiesNessusGentoo Local Security Checks
high
50703RHEL 6 : postgresql (RHSA-2010:0908)NessusRed Hat Local Security Checks
medium
50390Fedora 14 : sepostgresql-9.0.1-20101007.fc14 (2010-15870)NessusFedora Local Security Checks
high
50375openSUSE Security Update : postgresql (openSUSE-SU-2010:0903-1)NessusSuSE Local Security Checks
medium
50370openSUSE Security Update : postgresql (openSUSE-SU-2010:0903-1)NessusSuSE Local Security Checks
medium
50355Fedora 13 : sepostgresql-9.0.1-20101007.fc13 (2010-16004)NessusFedora Local Security Checks
high
50043SuSE 10 Security Update : PostgreSQL (ZYPP Patch Number 7186)NessusSuSE Local Security Checks
medium
50031Fedora 13 : postgresql-8.4.5-1.fc13 (2010-15960)NessusFedora Local Security Checks
medium
50029Fedora 12 : postgresql-8.4.5-1.fc12 (2010-15954)NessusFedora Local Security Checks
medium
50004Fedora 14 : postgresql-8.4.5-1.fc14 (2010-15852)NessusFedora Local Security Checks
medium
49966Debian DSA-2120-1 : postgresql-8.3 - privilege escalationNessusDebian Local Security Checks
medium
49804Ubuntu 10.10 : postgresql-8.4 vulnerability (USN-1002-2)NessusUbuntu Local Security Checks
medium
49803Ubuntu 6.06 LTS / 8.04 LTS / 9.04 / 9.10 / 10.04 LTS : postgresql-8.1, postgresql-8.3, postgresql-8.4 vulnerability (USN-1002-1)NessusUbuntu Local Security Checks
medium
49785RHEL 4 / 5 : postgresql and postgresql84 (RHSA-2010:0742)NessusRed Hat Local Security Checks
medium
49784Mandriva Linux Security Advisory : postgresql (MDVSA-2010:197)NessusMandriva Local Security Checks
medium
49781CentOS 4 / 5 : postgresql / postgresql84 (CESA-2010:0742)NessusCentOS Local Security Checks
medium