PostgreSQL < 8.3.19 / 8.4.12 / 9.0.8 / 9.1.4 Multiple Vulnerabilities

Medium Nessus Network Monitor Plugin ID 6816

Synopsis

The remote database server is affected by multiple vulnerabilities.

Description

Versions of PostgreSQL earlier than 8.3.19/ 8.4.12 / 9.0.8 / 9.1.4 are potentially affected by multiple vulnerabilities. It therefore is affected by the following vulnerabilities :

- Passwords containing the byte 0x80 passed to the crypt() function in pgcrypto are incorrectly truncated if DES encryption was used. (CVE-2012-2143)

- SECURITY_DEFINER and SET attributes on procedural call handlers are not ignored and can be used to crash the server. (CVE-2012-2655)

Solution

Upgrade to PostgreSQL 8.3.19 / 8.4.12 / 9.0.8 / 9.1.4 or later.

See Also

http://www.postgresql.org/about/news/1398

http://www.postgresql.org/docs/8.3/static/release-8-3-19.html

http://www.postgresql.org/docs/8.4/static/release-8-4-12.html

http://www.postgresql.org/docs/9.0/static/release-9-0-8.html

http://www.postgresql.org/docs/9.1/static/release-9-1-4.html

Plugin Details

Severity: Medium

ID: 6816

File Name: 6816.prm

Family: Database

Published: 2013/05/14

Modified: 2016/01/30

Dependencies: 8704, 8705

Nessus ID: 63353

Risk Information

Risk Factor: Medium

CVSSv2

Base Score: 6.8

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSSv3

Base Score: 6.2

Temporal Score: 6.8

Vector: CVSS3#AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS3#E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:postgresql:postgresql

Patch Publication Date: 2012/05/30

Vulnerability Publication Date: 2012/05/31

Reference Information

CVE: CVE-2012-2143, CVE-2012-2655

BID: 53729, 53812