CVE-2012-0867

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

PostgreSQL 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 truncates the common name to only 32 characters when verifying SSL certificates, which allows remote attackers to spoof connections when the host name is exactly 32 characters.

References

http://lists.opensuse.org/opensuse-updates/2012-09/msg00060.html

http://rhn.redhat.com/errata/RHSA-2012-0678.html

http://secunia.com/advisories/49273

http://www.debian.org/security/2012/dsa-2418

http://www.mandriva.com/security/advisories?name=MDVSA-2012:026

http://www.postgresql.org/about/news/1377/

http://www.postgresql.org/docs/8.4/static/release-8-4-11.html

http://www.postgresql.org/docs/9.0/static/release-9-0-7.html

http://www.postgresql.org/docs/9.1/static/release-9-1-3.html

Details

Source: MITRE

Published: 2012-07-18

Updated: 2016-12-07

Type: CWE-20

Risk Information

CVSS v2

Base Score: 4.3

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 8.6

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:o:opensuse_project:opensuse:12.2:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:a:postgresql:postgresql:8.4:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.4.1:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.4.2:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.4.3:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.4.4:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.4.5:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.4.6:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.4.7:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.4.8:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.4.9:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.4.10:*:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:a:postgresql:postgresql:9.0:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.0.1:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.0.2:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.0.3:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.0.4:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.0.5:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.0.6:*:*:*:*:*:*:*

Configuration 4

OR

cpe:2.3:o:debian:debian_linux:6.0:*:*:*:*:*:*:*

Configuration 5

OR

cpe:2.3:o:redhat:desktop_workstation:5:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux:5.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_desktop:5.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_hpc_node:6.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_aus:6.2:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_server_eus:6.2.z:*:*:*:*:*:*:*

cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*

Configuration 6

OR

cpe:2.3:a:postgresql:postgresql:9.1:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.1.1:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.1.2:*:*:*:*:*:*:*

Tenable Plugins

View all (19 total)

IDNameProductFamilySeverity
74756openSUSE Security Update : postgresql (openSUSE-SU-2012:1173-1)NessusSuSE Local Security Checks
medium
74591openSUSE Security Update : postgresql (openSUSE-SU-2012:0480-1)NessusSuSE Local Security Checks
medium
69689Amazon Linux AMI : postgresql8 (ALAS-2012-82)NessusAmazon Linux Local Security Checks
medium
68529Oracle Linux 5 / 6 : postgresql / postgresql84 (ELSA-2012-0678)NessusOracle Linux Local Security Checks
medium
6817PostgreSQL < 8.4.11 / 9.0.7 / 9.1.3 Multiple VulnerabilitiesNessus Network MonitorDatabase
medium
63352PostgreSQL 8.4 < 8.4.11 / 9.0 < 9.0.7 / 9.1 < 9.1.3 Multiple VulnerabilitiesNessusDatabases
medium
62380GLSA-201209-24 : PostgreSQL: Multiple vulnerabilitiesNessusGentoo Local Security Checks
medium
61316Scientific Linux Security Update : postgresql and postgresql84 on SL5.x, SL6.x i386/x86_64 (20120521)NessusScientific Linux Local Security Checks
medium
59223RHEL 5 / 6 : postgresql and postgresql84 (RHSA-2012:0678)NessusRed Hat Local Security Checks
medium
59214CentOS 5 / 6 : postgresql / postgresql84 (CESA-2012:0678)NessusCentOS Local Security Checks
medium
58282Fedora 16 : postgresql-9.1.3-1.fc16 (2012-2591)NessusFedora Local Security Checks
medium
58281Fedora 15 : postgresql-9.0.7-1.fc15 (2012-2589)NessusFedora Local Security Checks
medium
58257Fedora 17 : postgresql-9.1.3-1.fc17 (2012-2508)NessusFedora Local Security Checks
medium
58177Mandriva Linux Security Advisory : postgresql (MDVSA-2012:026)NessusMandriva Local Security Checks
medium
58168Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.04 / 11.10 : postgresql-8.3, postgresql-8.4, postgresql-9.1 vulnerabilities (USN-1378-1)NessusUbuntu Local Security Checks
medium
58162FreeBSD : databases/postgresql*-client -- multiple vulnerabilities (174b8864-6237-11e1-be18-14dae938ec40)NessusFreeBSD Local Security Checks
medium
6337PostgreSQL < 9.1.3 / 9.0.7 / 8.4.11 Multiple VulnerabilitiesNessus Network MonitorDatabase
medium
6336PostgreSQL 8.3.x < 8.3.18 Multiple VulnerabilitiesNessus Network MonitorDatabase
medium
58135Debian DSA-2418-1 : postgresql-8.4 - several vulnerabilitiesNessusDebian Local Security Checks
medium