CVE-2012-0866

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

CREATE TRIGGER in PostgreSQL 8.3.x before 8.3.18, 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 does not properly check the execute permission for trigger functions marked SECURITY DEFINER, which allows remote authenticated users to execute otherwise restricted triggers on arbitrary data by installing the trigger on an attacker-owned table.

References

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705

http://lists.opensuse.org/opensuse-updates/2012-09/msg00060.html

http://rhn.redhat.com/errata/RHSA-2012-0677.html

http://rhn.redhat.com/errata/RHSA-2012-0678.html

http://secunia.com/advisories/49272

http://secunia.com/advisories/49273

http://www.debian.org/security/2012/dsa-2418

http://www.mandriva.com/security/advisories?name=MDVSA-2012:026

http://www.mandriva.com/security/advisories?name=MDVSA-2012:027

http://www.mandriva.com/security/advisories?name=MDVSA-2012:092

http://www.postgresql.org/about/news/1377/

http://www.postgresql.org/docs/8.3/static/release-8-3-18.html

http://www.postgresql.org/docs/8.4/static/release-8-4-11.html

http://www.postgresql.org/docs/9.0/static/release-9-0-7.html

http://www.postgresql.org/docs/9.1/static/release-9-1-3.html

Details

Source: MITRE

Published: 2012-07-18

Updated: 2016-12-08

Type: CWE-264

Risk Information

CVSS v2

Base Score: 6.5

Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 8

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:postgresql:postgresql:8.3:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.1:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.2:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.3:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.4:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.5:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.6:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.7:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.8:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.9:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.10:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.11:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.12:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.13:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.14:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.15:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.16:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.17:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:a:postgresql:postgresql:8.4:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.4.1:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.4.2:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.4.3:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.4.4:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.4.5:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.4.6:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.4.7:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.4.8:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.4.9:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.4.10:*:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:a:postgresql:postgresql:9.0:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.0.1:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.0.2:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.0.3:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.0.4:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.0.5:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.0.6:*:*:*:*:*:*:*

Configuration 4

OR

cpe:2.3:a:postgresql:postgresql:9.1:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.1.1:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.1.2:*:*:*:*:*:*:*

Tenable Plugins

View all (27 total)

IDNameProductFamilySeverity
74756openSUSE Security Update : postgresql (openSUSE-SU-2012:1173-1)NessusSuSE Local Security Checks
medium
74591openSUSE Security Update : postgresql (openSUSE-SU-2012:0480-1)NessusSuSE Local Security Checks
medium
69689Amazon Linux AMI : postgresql8 (ALAS-2012-82)NessusAmazon Linux Local Security Checks
medium
68529Oracle Linux 5 / 6 : postgresql / postgresql84 (ELSA-2012-0678)NessusOracle Linux Local Security Checks
medium
68528Oracle Linux 5 : postgresql (ELSA-2012-0677)NessusOracle Linux Local Security Checks
medium
6817PostgreSQL < 8.4.11 / 9.0.7 / 9.1.3 Multiple VulnerabilitiesNessus Network MonitorDatabase
medium
64215SuSE 11.1 Security Update : PostgreSQL (SAT Patch Number 6023)NessusSuSE Local Security Checks
medium
63355PostgreSQL 8.3 < 8.3.18 Multiple VulnerabilitiesNessusDatabases
high
63352PostgreSQL 8.4 < 8.4.11 / 9.0 < 9.0.7 / 9.1 < 9.1.3 Multiple VulnerabilitiesNessusDatabases
medium
62380GLSA-201209-24 : PostgreSQL: Multiple vulnerabilitiesNessusGentoo Local Security Checks
medium
61317Scientific Linux Security Update : postgresql on SL5.x i386/x86_64 (20120521)NessusScientific Linux Local Security Checks
medium
61316Scientific Linux Security Update : postgresql and postgresql84 on SL5.x, SL6.x i386/x86_64 (20120521)NessusScientific Linux Local Security Checks
medium
59518Mandriva Linux Security Advisory : postgresql (MDVSA-2012:092)NessusMandriva Local Security Checks
medium
59384SuSE 10 Security Update : PostgreSQL (ZYPP Patch Number 8071)NessusSuSE Local Security Checks
medium
59223RHEL 5 / 6 : postgresql and postgresql84 (RHSA-2012:0678)NessusRed Hat Local Security Checks
medium
59222RHEL 5 : postgresql (RHSA-2012:0677)NessusRed Hat Local Security Checks
medium
59214CentOS 5 / 6 : postgresql / postgresql84 (CESA-2012:0678)NessusCentOS Local Security Checks
medium
59213CentOS 5 : postgresql (CESA-2012:0677)NessusCentOS Local Security Checks
medium
58282Fedora 16 : postgresql-9.1.3-1.fc16 (2012-2591)NessusFedora Local Security Checks
medium
58281Fedora 15 : postgresql-9.0.7-1.fc15 (2012-2589)NessusFedora Local Security Checks
medium
58257Fedora 17 : postgresql-9.1.3-1.fc17 (2012-2508)NessusFedora Local Security Checks
medium
58177Mandriva Linux Security Advisory : postgresql (MDVSA-2012:026)NessusMandriva Local Security Checks
medium
58168Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.04 / 11.10 : postgresql-8.3, postgresql-8.4, postgresql-9.1 vulnerabilities (USN-1378-1)NessusUbuntu Local Security Checks
medium
58162FreeBSD : databases/postgresql*-client -- multiple vulnerabilities (174b8864-6237-11e1-be18-14dae938ec40)NessusFreeBSD Local Security Checks
medium
6337PostgreSQL < 9.1.3 / 9.0.7 / 8.4.11 Multiple VulnerabilitiesNessus Network MonitorDatabase
medium
6336PostgreSQL 8.3.x < 8.3.18 Multiple VulnerabilitiesNessus Network MonitorDatabase
medium
58135Debian DSA-2418-1 : postgresql-8.4 - several vulnerabilitiesNessusDebian Local Security Checks
medium