The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of PostgreSQL

vulnerability bulletin CVE-2017-7546 CVE-2017-7547 CVE-2017-7548

PostgreSQL: three vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of PostgreSQL.
Impacted products: Debian, Fedora, openSUSE Leap, PostgreSQL, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu, WindRiver Linux.
Severity: 2/4.
Creation date: 10/08/2017.
Identifiers: CVE-2017-7546, CVE-2017-7547, CVE-2017-7548, DLA-1051-1, DSA-3935-1, DSA-3936-1, FEDORA-2017-9148fe36b9, FEDORA-2017-d9cac37bd8, FEDORA-2017-f9e66916ec, openSUSE-SU-2017:2306-1, openSUSE-SU-2017:2391-1, openSUSE-SU-2017:2392-1, RHSA-2017:2677-01, RHSA-2017:2678-01, RHSA-2017:2728-01, RHSA-2017:2860-01, SUSE-SU-2017:2236-1, SUSE-SU-2017:2258-1, SUSE-SU-2017:2355-1, SUSE-SU-2017:2356-1, USN-3390-1, VIGILANCE-VUL-23493.

Description of the vulnerability

Several vulnerabilities were announced in PostgreSQL.

An attacker can bypass security features via Libpq Empty Passwords, in order to escalate his privileges. [severity:2/4; CVE-2017-7546]

An attacker can bypass security features via pg_user_mappings.umoptions, in order to obtain sensitive information. [severity:2/4; CVE-2017-7547]

An attacker can bypass security features via lo_put(), in order to escalate his privileges. [severity:2/4; CVE-2017-7548]
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note CVE-2017-7484 CVE-2017-7485 CVE-2017-7486

PostgreSQL: three vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of PostgreSQL.
Impacted products: Debian, Fedora, openSUSE Leap, PostgreSQL, RHEL.
Severity: 2/4.
Creation date: 11/05/2017.
Identifiers: CVE-2017-7484, CVE-2017-7485, CVE-2017-7486, DLA-1051-1, DSA-3851-1, FEDORA-2017-0d5817efc0, FEDORA-2017-4de07172f4, FEDORA-2017-a8f4562bf5, openSUSE-SU-2017:1495-1, openSUSE-SU-2017:1772-1, RHSA-2017:1677-01, RHSA-2017:1678-01, RHSA-2017:1983-01, VIGILANCE-VUL-22714.

Description of the vulnerability

Several vulnerabilities were announced in PostgreSQL.

An attacker can bypass security features via Selectivity Estimators, in order to escalate his privileges. [severity:2/4; CVE-2017-7484]

An attacker can act as a Man-in-the-Middle via libpq, in order to read or write data in the session. [severity:2/4; CVE-2017-7485]

An attacker can bypass security features via pg_user_mappings, in order to obtain sensitive information. [severity:2/4; CVE-2017-7486]
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2016-5423 CVE-2016-5424

PostgreSQL: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of PostgreSQL.
Impacted products: Debian, Fedora, openSUSE, openSUSE Leap, PostgreSQL, Puppet, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Creation date: 11/08/2016.
Identifiers: CERTFR-2016-AVI-281, CVE-2016-5423, CVE-2016-5424, DLA-592-1, DSA-3646-1, FEDORA-2016-30b01bdedd, FEDORA-2016-5486a6dfc0, openSUSE-SU-2016:2425-1, openSUSE-SU-2016:2464-1, openSUSE-SU-2017:1021-1, RHSA-2016:1781-01, RHSA-2016:1820-01, RHSA-2016:1821-01, RHSA-2016:2606-02, SUSE-SU-2016:2414-1, SUSE-SU-2016:2415-1, SUSE-SU-2016:2418-1, USN-3066-1, VIGILANCE-VUL-20369.

Description of the vulnerability

Several vulnerabilities were announced in PostgreSQL.

An attacker can trigger a fatal error via Nested CASE, in order to trigger a denial of service. [severity:1/4; CVE-2016-5423]

An attacker can use a database or role name with injected commands, which are run by administrative operations such as pg_dumpall, in order to run privileged code. [severity:2/4; CVE-2016-5424]
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability announce CVE-2016-2193 CVE-2016-3065

PostgreSQL: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of PostgreSQL.
Impacted products: PostgreSQL.
Severity: 2/4.
Creation date: 31/03/2016.
Identifiers: CVE-2016-2193, CVE-2016-3065, VIGILANCE-VUL-19277.

Description of the vulnerability

Several vulnerabilities were announced in PostgreSQL.

An attacker can bypass policies restrictions of Row Level Security, in order to read or alter data. [severity:2/4; CVE-2016-2193]

An attacker can force a read at an invalid address in pageinspect, in order to trigger a denial of service, or to obtain sensitive information. [severity:2/4; CVE-2016-3065]
Complete Vigil@nce bulletin.... (Free trial)

vulnerability alert CVE-2016-0766 CVE-2016-0773

PostgreSQL: three vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of PostgreSQL.
Impacted products: Debian, Fedora, NSM Central Manager, NSMXpress, openSUSE, openSUSE Leap, PostgreSQL, Puppet, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Creation date: 11/02/2016.
Identifiers: CERTA-2002-AVI-163, CERTFR-2017-AVI-012, CERTFR-2017-AVI-022, CVE-2016-0766, CVE-2016-0773, DSA-3475-1, DSA-3476-1, FEDORA-2016-b0c2412ab2, FEDORA-2016-e0a6c9ebc4, JSA10774, openSUSE-SU-2016:0531-1, openSUSE-SU-2016:0578-1, RHSA-2016:0346-01, RHSA-2016:0347-01, RHSA-2016:0348-01, RHSA-2016:0349-01, SUSE-SU-2016:0539-1, SUSE-SU-2016:0555-1, SUSE-SU-2016:0677-1, USN-2894-1, VIGILANCE-VUL-18931.

Description of the vulnerability

Several vulnerabilities were announced in PostgreSQL.

An attacker can cause a memory corruption or an endless loop using large character range in regular expressions, in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2016-0773]

An attacker can use stored procedures written in Java in order to change system parameters that should be writable only by administrators. [severity:2/4; CVE-2016-0766]

The change to fix the vulnerability CVE-2007-4772 (VIGILANCE-VUL-7475) was incorrect, an attacker can use regular expressions to trigger an overload and so a denial of service. [severity:1/4; CERTA-2002-AVI-163]
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce CVE-2015-5288 CVE-2015-5289

PostgreSQL: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of PostgreSQL.
Impacted products: Clearswift Email Gateway, Debian, Fedora, openSUSE, PostgreSQL, Puppet, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Creation date: 08/10/2015.
Identifiers: CERTFR-2015-AVI-433, CVE-2015-5288, CVE-2015-5289, DSA-3374-1, DSA-3475-1, FEDORA-2015-6d2a957a87, openSUSE-SU-2015:1907-1, openSUSE-SU-2015:1919-1, RHSA-2015:2077-01, RHSA-2015:2078-01, RHSA-2015:2081-01, RHSA-2015:2083-01, SUSE-SU-2016:0677-1, USN-2772-1, VIGILANCE-VUL-18062.

Description of the vulnerability

Several vulnerabilities were announced in PostgreSQL.

An attacker can trigger a fatal error when json/jsonb data are analyzed, in order to trigger a denial of service. [severity:2/4; CVE-2015-5289]

An attacker can read a memory fragment via the crypt() function, in order to obtain sensitive information. [severity:1/4; CVE-2015-5288]
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2015-3165 CVE-2015-3166 CVE-2015-3167

PostgreSQL: three vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of PostgreSQL.
Impacted products: Debian, Fedora, PostgreSQL, RHEL, Ubuntu.
Severity: 2/4.
Creation date: 22/05/2015.
Identifiers: CERTFR-2015-AVI-239, CVE-2015-3165, CVE-2015-3166, CVE-2015-3167, DSA-3269-1, DSA-3269-2, DSA-3270-1, FEDORA-2015-8815, RHSA-2015:1194-01, RHSA-2015:1195-01, RHSA-2015:1196-01, USN-2621-1, VIGILANCE-VUL-16975.

Description of the vulnerability

Several vulnerabilities were announced in PostgreSQL.

An attacker can force the usage of a freed memory area after an Authentication Timeout, in order to trigger a denial of service, and possibly to execute code. [severity:2/4; CVE-2015-3165]

An attacker can trigger a fatal error in Standard Library, in order to trigger a denial of service. [severity:2/4; CVE-2015-3166]

An attacker can read the various pgcrypto error messages, in order to more easily perform a brute force. [severity:1/4; CVE-2015-3167]
Complete Vigil@nce bulletin.... (Free trial)

vulnerability alert CVE-2014-8161 CVE-2015-0241 CVE-2015-0242

PostgreSQL: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of PostgreSQL.
Impacted products: Debian, Fedora, MBS, openSUSE, PostgreSQL, Puppet, RHEL, Ubuntu.
Severity: 2/4.
Creation date: 05/02/2015.
Identifiers: CERTFR-2015-AVI-070, CVE-2014-8161, CVE-2015-0241, CVE-2015-0242, CVE-2015-0243, CVE-2015-0244, DSA-3155-1, FEDORA-2015-1728, FEDORA-2015-1745, MDVSA-2015:048, MDVSA-2015:110, openSUSE-SU-2015:0414-1, openSUSE-SU-2015:0499-1, RHSA-2015:0699-01, RHSA-2015:0750-01, RHSA-2015:0856-01, USN-2499-1, VIGILANCE-VUL-16121.

Description of the vulnerability

Several vulnerabilities were announced in PostgreSQL.

An attacker can generate a buffer overflow in to_char, in order to trigger a denial of service, and possibly to execute code. [severity:2/4; CVE-2015-0241]

An attacker can generate a buffer overflow in printf, in order to trigger a denial of service, and possibly to execute code. [severity:2/4; CVE-2015-0242]

An attacker can generate a memory corruption in pgcrypto, in order to trigger a denial of service, and possibly to execute code. [severity:2/4; CVE-2015-0243]

An attacker can force a read at an invalid address via a protocol message, in order to trigger a denial of service. [severity:1/4; CVE-2015-0244]

An attacker can read the content of protected columns, in order to obtain sensitive information. [severity:1/4; CVE-2014-8161]
Complete Vigil@nce bulletin.... (Free trial)

vulnerability CVE-2014-0067

PostgreSQL: read-write access via make check

Synthesis of the vulnerability

When "make check" is run, a local attacker can access to PostgreSQL, in order to read or alter data.
Impacted products: Debian, MBS, openSUSE, PostgreSQL.
Severity: 2/4.
Creation date: 20/02/2014.
Identifiers: BID-65721, CERTFR-2014-AVI-080, CVE-2014-0067, DSA-2864-1, DSA-2865-1, MDVSA-2014:047, MDVSA-2015:110, openSUSE-SU-2014:0345-1, openSUSE-SU-2014:0368-1, VIGILANCE-VUL-14290.

Description of the vulnerability

The PostgreSQL product has a test suite, which is run via the "make test" command.

However, during these tests, the access to the local socket is set to "trust", which means that a local user can connect with no authentication.

When "make check" is run, a local attacker can therefore access to PostgreSQL, in order to read or alter data.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2014-0060 CVE-2014-0061 CVE-2014-0062

PostgreSQL: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of PostgreSQL.
Impacted products: Debian, Fedora, MBS, openSUSE, PostgreSQL, RHEL, Ubuntu.
Severity: 2/4.
Creation date: 20/02/2014.
Identifiers: BID-65719, BID-65723, BID-65724, BID-65725, BID-65727, BID-65728, BID-65731, CERTFR-2014-AVI-080, CVE-2014-0060, CVE-2014-0061, CVE-2014-0062, CVE-2014-0063, CVE-2014-0064, CVE-2014-0065, CVE-2014-0066, CVE-2014-2669, DSA-2864-1, DSA-2865-1, FEDORA-2014-2870, MDVSA-2014:047, MDVSA-2015:110, openSUSE-SU-2014:0345-1, openSUSE-SU-2014:0368-1, RHSA-2014:0211-01, RHSA-2014:0221-01, RHSA-2014:0249-01, RHSA-2014:0469-01, USN-2120-1, VIGILANCE-VUL-14289.

Description of the vulnerability

Several vulnerabilities were announced in PostgreSQL.

An attacker who gained a role via SET ROLE, can revoke the access of other members. [severity:2/4; BID-65723, CVE-2014-0060]

An attacker can use a validator function, in order to escalate his privileges. [severity:2/4; BID-65724, CVE-2014-0061]

An attacker can use CREATE INDEX, in order to escalate his privileges. [severity:2/4; BID-65727, CVE-2014-0062]

An attacker can generate a buffer overflow via a long date, in order to trigger a denial of service, and possibly to execute code. [severity:2/4; BID-65719, CVE-2014-0063]

An attacker can generate a buffer overflow, in order to trigger a denial of service, and possibly to execute code. [severity:2/4; BID-65731, CVE-2014-0065]

An attacker can dereference a NULL pointer via crypt(), in order to trigger a denial of service. [severity:1/4; BID-65728, CVE-2014-0066]

An attacker can generate an integer overflow in path_in(), in order to trigger a denial of service, and possibly to execute code. [severity:2/4; BID-65725, CVE-2014-0064]

An attacker can generate an integer overflow in hstore, in order to trigger a denial of service, and possibly to execute code. [severity:2/4; CVE-2014-2669]
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about PostgreSQL: