CVE-2013-0255

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

PostgreSQL 9.2.x before 9.2.3, 9.1.x before 9.1.8, 9.0.x before 9.0.12, 8.4.x before 8.4.16, and 8.3.x before 8.3.23 does not properly declare the enum_recv function in backend/utils/adt/enum.c, which causes it to be invoked with incorrect arguments and allows remote authenticated users to cause a denial of service (server crash) or read sensitive process memory via a crafted SQL command, which triggers an array index error and an out-of-bounds read.

References

http://lists.fedoraproject.org/pipermail/package-announce/2013-February/098586.html

http://lists.opensuse.org/opensuse-updates/2013-02/msg00059.html

http://lists.opensuse.org/opensuse-updates/2013-02/msg00060.html

http://osvdb.org/89935

http://rhn.redhat.com/errata/RHSA-2013-1475.html

http://secunia.com/advisories/51923

http://secunia.com/advisories/52819

http://securitytracker.com/id?1028092

http://www.debian.org/security/2013/dsa-2630

http://www.mandriva.com/security/advisories?name=MDVSA-2013:142

http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

http://www.postgresql.org/docs/8.3/static/release-8-3-23.html

http://www.postgresql.org/docs/8.4/static/release-8-4-16.html

http://www.postgresql.org/docs/9.0/static/release-9-0-12.html

http://www.postgresql.org/docs/9.1/static/release-9-1-8.html

http://www.postgresql.org/docs/9.2/static/release-9-2-3.html

http://www.securityfocus.com/bid/57844

http://www.ubuntu.com/usn/USN-1717-1

https://blogs.oracle.com/sunsecurity/entry/cve_2013_0255_array_index

https://bugzilla.redhat.com/show_bug.cgi?id=907892

https://exchange.xforce.ibmcloud.com/vulnerabilities/81917

Details

Source: MITRE

Published: 2013-02-13

Updated: 2017-10-20

Type: CWE-20

Risk Information

CVSS v2

Base Score: 6.8

Vector: AV:N/AC:L/Au:S/C:N/I:N/A:C

Impact Score: 6.9

Exploitability Score: 8

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:postgresql:postgresql:8.3:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.1:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.2:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.3:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.4:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.5:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.6:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.7:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.8:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.9:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.10:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.11:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.12:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.13:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.14:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.15:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.16:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.17:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.18:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.19:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.20:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.21:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.3.22:*:*:*:*:*:*:*

Configuration 2

OR

cpe:2.3:a:postgresql:postgresql:8.4:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.4.1:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.4.2:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.4.3:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.4.4:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.4.5:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.4.6:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.4.7:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.4.8:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.4.9:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.4.10:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.4.11:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.4.12:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.4.13:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.4.14:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:8.4.15:*:*:*:*:*:*:*

Configuration 3

OR

cpe:2.3:a:postgresql:postgresql:9.0:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.0.1:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.0.2:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.0.3:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.0.4:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.0.5:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.0.6:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.0.7:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.0.8:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.0.9:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.0.10:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.0.11:*:*:*:*:*:*:*

Configuration 4

OR

cpe:2.3:a:postgresql:postgresql:9.1:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.1.1:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.1.2:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.1.3:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.1.4:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.1.5:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.1.6:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.1.7:*:*:*:*:*:*:*

Configuration 5

OR

cpe:2.3:a:postgresql:postgresql:9.2:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.2.1:*:*:*:*:*:*:*

cpe:2.3:a:postgresql:postgresql:9.2.2:*:*:*:*:*:*:*

Tenable Plugins

View all (17 total)

IDNameProductFamilySeverity
77459GLSA-201408-15 : PostgreSQL: Multiple vulnerabilitiesNessusGentoo Local Security Checks
high
74897openSUSE Security Update : postgresql91 (openSUSE-SU-2013:0318-1)NessusSuSE Local Security Checks
medium
70906Amazon Linux AMI : postgresql8 (ALAS-2013-244)NessusAmazon Linux Local Security Checks
high
70705Scientific Linux Security Update : postgresql and postgresql84 on SL5.x, SL6.x i386/x86_64 (20131029)NessusScientific Linux Local Security Checks
high
70696RHEL 5 / 6 : postgresql and postgresql84 (RHSA-2013:1475)NessusRed Hat Local Security Checks
high
70692Oracle Linux 5 / 6 : postgresql / postgresql84 (ELSA-2013-1475)NessusOracle Linux Local Security Checks
high
70687CentOS 5 / 6 : postgresql / postgresql84 (CESA-2013:1475)NessusCentOS Local Security Checks
high
66154Mandriva Linux Security Advisory : postgresql (MDVSA-2013:142)NessusMandriva Local Security Checks
high
6743PostgreSQL < 8.3.23 / 8.4.16 / 9.0.12 / 9.1.8 / 9.2.3 Denial of ServiceNessus Network MonitorDatabase
medium
65683SuSE 11.2 Security Update : PostgreSQL (SAT Patch Number 7340)NessusSuSE Local Security Checks
medium
65682SuSE 11.2 Security Update : PostgreSQL (SAT Patch Number 7342)NessusSuSE Local Security Checks
medium
64732Debian DSA-2630-1 : postgresql-8.4 - programming errorNessusDebian Local Security Checks
medium
64669PostgreSQL 8.3 < 8.3.23 / 8.4 < 8.4.16 / 9.0 < 9.0.12 / 9.1 < 9.1.8 / 9.2 < 9.2.3 Denial of ServiceNessusDatabases
medium
64665Fedora 17 : postgresql-9.1.8-1.fc17 (2013-2152)NessusFedora Local Security Checks
medium
64647Mandriva Linux Security Advisory : postgresql (MDVSA-2013:012)NessusMandriva Local Security Checks
medium
64616Ubuntu 8.04 LTS / 10.04 LTS / 11.10 / 12.04 LTS / 12.10 : postgresql-8.3, postgresql-8.4, postgresql-9.1 vulnerability (USN-1717-1)NessusUbuntu Local Security Checks
medium
64554Fedora 18 : postgresql-9.2.3-1.fc18 (2013-2123)NessusFedora Local Security Checks
medium