PRIOn knowledge basePRION:CVE-2009-3230Authorization
The core server component in PostgreSQL 8.4 before 8.4.1, 8.3 before 8.3.8, 8.2 before 8.2.14, 8.1 before 8.1.18, 8.0 before 8.0.22, and 7.4 before 7.4.26 does not use the appropriate privileges for the (1) RESET ROLE and (2) RESET SESSION AUTHORIZATION operations, which allows remote authenticated users to gain privileges. NOTE: this is due to an incomplete fix for CVE-2007-6600.
| CPE | Name | Operator | Version |
|---|---|---|---|
| postgresql | eq | 7.4.16 | |
| postgresql | eq | 8.1.10 | |
| postgresql | eq | 8.1.6 | |
| postgresql | eq | 8.2.9 | |
| postgresql | eq | 8.0.7 | |
| postgresql | eq | 8.0.2 | |
| postgresql | eq | 8.1.15 | |
| postgresql | eq | 8.1.7 | |
| postgresql | eq | 8.3.6 | |
| postgresql | eq | 8.2.10 |
References
archives.postgresql.org/pgsql-www/2009-09/msg00024.php
lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html
lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html
secunia.com/advisories/36660
secunia.com/advisories/36695
secunia.com/advisories/36727
secunia.com/advisories/36800
secunia.com/advisories/36837
sunsolve.sun.com/search/document.do?assetkey=1-66-270408-1
wiki.rpath.com/wiki/Advisories:rPSA-2010-0012
www.postgresql.org/docs/8.3/static/release-8-3-8.html
www.postgresql.org/support/security.html
www.securityfocus.com/archive/1/509917/100/0/threaded
www.securityfocus.com/bid/36314
www.ubuntu.com/usn/usn-834-1
www.us.debian.org/security/2009/dsa-1900
www.vupen.com/english/advisories/2009/2602
bugzilla.redhat.com/show_bug.cgi?id=522085
marc.info/?l=bugtraq&m=134124585221119&w=2
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10166
www.redhat.com/archives/fedora-package-announce/2009-September/msg00305.html
www.redhat.com/archives/fedora-package-announce/2009-September/msg00307.html
Related
