CVE-2007-2138

2007-04-2420:19:00

CWE-264

mitre

web.nvd.nist.gov

173

postgresql

untrusted search path

vulnerability

security

nvd

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:S/C:P/I:P/A:P

AI Score

8.5

Confidence

High

EPSS

0.004

Percentile

73.3%

JSON

Untrusted search path vulnerability in PostgreSQL before 7.3.19, 7.4.x before 7.4.17, 8.0.x before 8.0.13, 8.1.x before 8.1.9, and 8.2.x before 8.2.4 allows remote authenticated users, when permitted to call a SECURITY DEFINER function, to gain the privileges of the function owner, related to “search_path settings.”

Affected configurations

Nvd

Node

postgresqlpostgresqlRange<7.3.19

postgresqlpostgresqlRange7.4–7.4.17

postgresqlpostgresqlRange8.0–8.0.13

postgresqlpostgresqlRange8.1–8.1.9

postgresqlpostgresqlRange8.2–8.2.4

Node

debiandebian_linuxMatch3.1

debiandebian_linuxMatch4.0

Node

canonicalubuntu_linuxMatch6.06lts

canonicalubuntu_linuxMatch6.10

canonicalubuntu_linuxMatch7.04

VendorProductVersionCPE
postgresqlpostgresql*cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
debiandebian_linux3.1cpe:2.3:o:debian:debian_linux:3.1:*:*:*:*:*:*:*
debiandebian_linux4.0cpe:2.3:o:debian:debian_linux:4.0:*:*:*:*:*:*:*
canonicalubuntu_linux6.06cpe:2.3:o:canonical:ubuntu_linux:6.06:*:*:*:lts:*:*:*
canonicalubuntu_linux6.10cpe:2.3:o:canonical:ubuntu_linux:6.10:*:*:*:*:*:*:*
canonicalubuntu_linux7.04cpe:2.3:o:canonical:ubuntu_linux:7.04:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
postgresql	postgresql	*	cpe:2.3:a:postgresql:postgresql::::::::
debian	debian_linux	3.1	cpe:2.3:o:debian:debian_linux:3.1:::::::*
debian	debian_linux	4.0	cpe:2.3:o:debian:debian_linux:4.0:::::::*
canonical	ubuntu_linux	6.06	cpe:2.3:o:canonical:ubuntu_linux:6.06::::lts:::
canonical	ubuntu_linux	6.10	cpe:2.3:o:canonical:ubuntu_linux:6.10:::::::*
canonical	ubuntu_linux	7.04	cpe:2.3:o:canonical:ubuntu_linux:7.04:::::::*