PostgreSQL < 8.3.19 / 8.4.12 / 9.0.8 / 9.1.4 Multiple Vulnerabilities

medium Nessus Network Monitor Plugin ID 6816

Synopsis

The remote database server is affected by multiple vulnerabilities.

Description

Versions of PostgreSQL earlier than 8.3.19/ 8.4.12 / 9.0.8 / 9.1.4 are potentially affected by multiple vulnerabilities. It therefore is affected by the following vulnerabilities :

- Passwords containing the byte 0x80 passed to the crypt() function in pgcrypto are incorrectly truncated if DES encryption was used. (CVE-2012-2143)

- SECURITY_DEFINER and SET attributes on procedural call handlers are not ignored and can be used to crash the server. (CVE-2012-2655)

Solution

Upgrade to PostgreSQL 8.3.19 / 8.4.12 / 9.0.8 / 9.1.4 or later.

See Also

http://www.postgresql.org/about/news/1398

http://www.postgresql.org/docs/8.3/static/release-8-3-19.html

http://www.postgresql.org/docs/8.4/static/release-8-4-12.html

http://www.postgresql.org/docs/9.0/static/release-9-0-8.html

http://www.postgresql.org/docs/9.1/static/release-9-1-4.html

Plugin Details

Severity: Medium

ID: 6816

Family: Database

Published: 5/14/2013

Updated: 3/6/2019

Nessus ID: 63353

Risk Information

VPR

Risk Factor: Medium

Score: 4.8

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:C

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 6.2

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:postgresql:postgresql

Patch Publication Date: 5/30/2012

Vulnerability Publication Date: 5/31/2012

Reference Information

CVE: CVE-2012-2143, CVE-2012-2655

BID: 53729, 53812