VuXML ID | Description |
4b636f50-f011-11ed-bbae-6cc21735f730 | postgresql-server -- Row security policies disregard user ID changes after inlining
PostgreSQL Project reports
While CVE-2016-2193 fixed most interaction between row security and
user ID changes, it missed a scenario involving function
inlining. This leads to potentially incorrect policies being
applied in cases where role-specific policies are used and a
given query is planned under one role and then executed under
other roles. This scenario can happen under security definer
functions or when a common user and query is planned
initially and then re-used across multiple SET ROLEs.
Applying an incorrect policy may permit a user to complete
otherwise-forbidden reads and modifications. This affects
only databases that have used CREATE POLICY to define a row
security policy.
Discovery 2023-05-11 Entry 2023-05-11 postgresql-server
< 15.3
< 14.8
< 13.11
< 12.15
< 11.20
CVE-2023-2455
https://www.postgresql.org/support/security/CVE-2023-2455/
|
bbb18fcb-7f0d-11ee-94b4-6cc21735f730 | postgresql-server -- Role pg_cancel_backend can signal certain superuser processes
PostgreSQL Project reports:
Documentation says the pg_cancel_backend role cannot
signal "a backend owned by a superuser". On the
contrary, it can signal background workers, including
the logical replication launcher. It can signal
autovacuum workers and the autovacuum launcher.
Signaling autovacuum workers and those two launchers
provides no meaningful exploit, so exploiting this
vulnerability requires a non-core extension with a
less-resilient background worker. For example, a
non-core background worker that does not auto-restart
would experience a denial of service with respect to
that particular background worker.
Discovery 2023-11-09 Entry 2023-11-09 postgresql-server
< 16.1
< 15.5
< 14.10
< 13.13
< 12.17
< 11.22
CVE-2023-5870
https://www.postgresql.org/support/security/CVE-2023-5870/
|
31f45d06-7f0e-11ee-94b4-6cc21735f730 | postgresql-server -- Memory disclosure in aggregate function calls
PostgreSQL Project reports:
Certain aggregate function calls receiving "unknown"-type
arguments could disclose bytes of server memory from the end of
the "unknown"-type value to the next zero byte. One typically
gets an "unknown"-type value via a string literal having no type
designation. We have not confirmed or ruled out viability of
attacks that arrange for presence of notable, confidential
information in disclosed bytes.
Discovery 2023-11-09 Entry 2023-11-09 postgresql-server
< 16.1
< 15.5
< 14.10
< 13.13
< 12.17
< 11.22
CVE-2023-5868
https://www.postgresql.org/support/security/CVE-2023-5868/
|
fbb5a260-f00f-11ed-bbae-6cc21735f730 | postgresql-server -- CREATE SCHEMA ... schema elements defeats protective search_path changes
PostgreSQL Project reports
This enabled an attacker having database-level CREATE
privilege to execute arbitrary code as the bootstrap
superuser. Database owners have that right by default,
and explicit grants may extend it to other users.
Discovery 2023-05-11 Entry 2023-05-11 postgresql-server
< 15.3
< 14.8
< 13.11
< 12.15
< 11.20
CVE-2023-2454
https://www.postgresql.org/support/security/CVE-2023-2454/
|
cfd2a634-3785-11ee-94b4-6cc21735f730 | postgresql-server -- Extension script @substitutions@ within quoting allow SQL injection
PostgreSQL Project reports
An extension script is vulnerable if it uses @extowner@,
@extschema@, or @extschema:...@ inside a quoting construct
(dollar quoting, '', or ""). No bundled extension is
vulnerable. Vulnerable uses do appear in a documentation
example and in non-bundled extensions. Hence, the attack
prerequisite is an administrator having installed files of a
vulnerable, trusted, non-bundled extension. Subject to that
prerequisite, this enables an attacker having database-level
CREATE privilege to execute arbitrary code as the bootstrap
superuser. PostgreSQL will block this attack in the core
server, so there's no need to modify individual extensions.
Discovery 2023-08-10 Entry 2023-08-10 postgresql-server
< 11.21
< 12.16
< 13.12
< 14.9
< 15.4
CVE-2023-39417
https://www.postgresql.org/support/security/CVE-2023-39417/
|
fbb5a260-f00f-11ed-bbae-6cc21735f730 | postgresql-server -- CREATE SCHEMA ... schema elements defeats protective search_path changes
PostgreSQL Project reports
This enabled an attacker having database-level CREATE
privilege to execute arbitrary code as the bootstrap
superuser. Database owners have that right by default,
and explicit grants may extend it to other users.
Discovery 2023-05-11 Entry 2023-05-11 postgresql-server
< 15.3
< 14.8
< 13.11
< 12.15
< 11.20
CVE-2023-2454
https://www.postgresql.org/support/security/CVE-2023-2454/
|
31f45d06-7f0e-11ee-94b4-6cc21735f730 | postgresql-server -- Memory disclosure in aggregate function calls
PostgreSQL Project reports:
Certain aggregate function calls receiving "unknown"-type
arguments could disclose bytes of server memory from the end of
the "unknown"-type value to the next zero byte. One typically
gets an "unknown"-type value via a string literal having no type
designation. We have not confirmed or ruled out viability of
attacks that arrange for presence of notable, confidential
information in disclosed bytes.
Discovery 2023-11-09 Entry 2023-11-09 postgresql-server
< 16.1
< 15.5
< 14.10
< 13.13
< 12.17
< 11.22
CVE-2023-5868
https://www.postgresql.org/support/security/CVE-2023-5868/
|
19e6dd1b-c6a5-11ee-9cd0-6cc21735f730 | postgresql-server -- non-owner REFRESH MATERIALIZED VIEW CONCURRENTLY executes arbitrary SQL
PostgreSQL Project reports:
One step of a concurrent refresh command was run under
weak security restrictions. If a materialized view's
owner could persuade a superuser or other
high-privileged user to perform a concurrent refresh on
that view, the view's owner could control code executed
with the privileges of the user running REFRESH. The fix
for the vulnerability makes is so that all
user-determined code is run as the view's owner, as
expected.
Discovery 2024-02-08 Entry 2024-02-08 postgresql-server
< 15.6
< 14.11
< 13.14
< 12.18
CVE-2024-0985
https://www.postgresql.org/support/security/CVE-2024-0985/
|
e050119b-3856-11df-b2b2-002170daae37 | postgresql -- bitsubstr overflow
BugTraq reports:
PostgreSQL is prone to a buffer-overflow
vulnerability because the application fails to
perform adequate boundary checks on user-supplied
data.
Attackers can exploit this issue to execute
arbitrary code with elevated privileges or
crash the affected application.
Discovery 2010-01-27 Entry 2010-03-25 postgresql-server
ge 7.4 lt 7.4.28
ge 8.0 lt 8.0.24
ge 8.1 lt 8.1.20
ge 8.2 lt 8.2.16
ge 8.3 lt 8.3.10
ge 8.4 lt 8.4.3
37973
CVE-2010-0442
|
d53c30c1-0d7b-11ef-ba02-6cc21735f730 | PostgreSQL server -- Potentially allowing authenicated database users to see data that they shouldn't.
PostgreSQL project reports:
A security vulnerability was found in the system views pg_stats_ext
and pg_stats_ext_exprs, potentially allowing authenticated database
users to see data they shouldn't. If this is of concern in your
installation, run the SQL script /usr/local/share/postgresql/fix-CVE-2024-4317.sql
for each of your databases. See the link for details.
Discovery 2024-05-09 Entry 2024-05-09 postgresql-server
< 16.3
< 15.7
< 14.12
CVE-2024-4317
https://www.postgresql.org/support/security/CVE-2024-4317/
|
bbb18fcb-7f0d-11ee-94b4-6cc21735f730 | postgresql-server -- Role pg_cancel_backend can signal certain superuser processes
PostgreSQL Project reports:
Documentation says the pg_cancel_backend role cannot
signal "a backend owned by a superuser". On the
contrary, it can signal background workers, including
the logical replication launcher. It can signal
autovacuum workers and the autovacuum launcher.
Signaling autovacuum workers and those two launchers
provides no meaningful exploit, so exploiting this
vulnerability requires a non-core extension with a
less-resilient background worker. For example, a
non-core background worker that does not auto-restart
would experience a denial of service with respect to
that particular background worker.
Discovery 2023-11-09 Entry 2023-11-09 postgresql-server
< 16.1
< 15.5
< 14.10
< 13.13
< 12.17
< 11.22
CVE-2023-5870
https://www.postgresql.org/support/security/CVE-2023-5870/
|
42d42090-9a4d-11e3-b029-08002798f6ff | PostgreSQL -- multiple privilege issues
PostgreSQL Project reports:
This update fixes CVE-2014-0060, in which PostgreSQL did not
properly enforce the WITH ADMIN OPTION permission for ROLE management.
Before this fix, any member of a ROLE was able to grant others access
to the same ROLE regardless if the member was given the WITH ADMIN
OPTION permission. It also fixes multiple privilege escalation issues,
including: CVE-2014-0061, CVE-2014-0062, CVE-2014-0063, CVE-2014-0064,
CVE-2014-0065, and CVE-2014-0066. More information on these issues can
be found on our security page and the security issue detail wiki page.
With this release, we are also alerting users to a known security hole
that allows other users on the same machine to gain access to an
operating system account while it is doing "make check":
CVE-2014-0067. "Make check" is normally part of building PostgreSQL
from source code. As it is not possible to fix this issue without
causing significant issues to our testing infrastructure, a patch will
be released separately and publicly. Until then, users are strongly
advised not to run "make check" on machines where untrusted users have
accounts.
Discovery 2014-02-20 Entry 2014-02-20 postgresql-server
< 8.4.20
ge 9.0.0 lt 9.0.16
ge 9.1.0 lt 9.1.12
ge 9.2.0 lt 9.2.7
ge 9.3.0 lt 9.3.3
CVE-2014-0060
CVE-2014-0061
CVE-2014-0062
CVE-2014-0063
CVE-2014-0064
CVE-2014-0065
CVE-2014-0066
CVE-2014-0067
|
d53c30c1-0d7b-11ef-ba02-6cc21735f730 | PostgreSQL server -- Potentially allowing authenicated database users to see data that they shouldn't.
PostgreSQL project reports:
A security vulnerability was found in the system views pg_stats_ext
and pg_stats_ext_exprs, potentially allowing authenticated database
users to see data they shouldn't. If this is of concern in your
installation, run the SQL script /usr/local/share/postgresql/fix-CVE-2024-4317.sql
for each of your databases. See the link for details.
Discovery 2024-05-09 Entry 2024-05-09 postgresql-server
< 16.3
< 15.7
< 14.12
CVE-2024-4317
https://www.postgresql.org/support/security/CVE-2024-4317/
|
4b636f50-f011-11ed-bbae-6cc21735f730 | postgresql-server -- Row security policies disregard user ID changes after inlining
PostgreSQL Project reports
While CVE-2016-2193 fixed most interaction between row security and
user ID changes, it missed a scenario involving function
inlining. This leads to potentially incorrect policies being
applied in cases where role-specific policies are used and a
given query is planned under one role and then executed under
other roles. This scenario can happen under security definer
functions or when a common user and query is planned
initially and then re-used across multiple SET ROLEs.
Applying an incorrect policy may permit a user to complete
otherwise-forbidden reads and modifications. This affects
only databases that have used CREATE POLICY to define a row
security policy.
Discovery 2023-05-11 Entry 2023-05-11 postgresql-server
< 15.3
< 14.8
< 13.11
< 12.15
< 11.20
CVE-2023-2455
https://www.postgresql.org/support/security/CVE-2023-2455/
|
0f445859-7f0e-11ee-94b4-6cc21735f730 | postgresql-server -- Buffer overrun from integer overflow in array modification
PostgreSQL Project reports:
While modifying certain SQL array values, missing
overflow checks let authenticated database users write
arbitrary bytes to a memory area that facilitates
arbitrary code execution. Missing overflow checks also
let authenticated database users read a wide area of
server memory. The CVE-2021-32027 fix covered some
attacks of this description, but it missed others.
Discovery 2023-11-09 Entry 2023-11-09 postgresql-server
< 16.1
< 15.5
< 14.10
< 13.13
< 12.17
< 11.22
CVE-2023-5869
https://www.postgresql.org/support/security/CVE-2023-5869/
|
59a43a73-3786-11ee-94b4-6cc21735f730 | postgresql-server -- MERGE fails to enforce UPDATE or SELECT row security policies
PostgreSQL Project reports
PostgreSQL 15 introduced the MERGE command, which fails to test
new rows against row security policies defined for UPDATE and
SELECT. If UPDATE and SELECT policies forbid some row that
INSERT policies do not forbid, a user could store such rows.
Subsequent consequences are application-dependent. This
affects only databases that have used CREATE POLICY to define
a row security policy.
Discovery 2023-08-10 Entry 2023-08-10 postgresql-server
< 15.4
CVE-2023-39418
https://www.postgresql.org/support/security/CVE-2023-39418/
|
0f445859-7f0e-11ee-94b4-6cc21735f730 | postgresql-server -- Buffer overrun from integer overflow in array modification
PostgreSQL Project reports:
While modifying certain SQL array values, missing
overflow checks let authenticated database users write
arbitrary bytes to a memory area that facilitates
arbitrary code execution. Missing overflow checks also
let authenticated database users read a wide area of
server memory. The CVE-2021-32027 fix covered some
attacks of this description, but it missed others.
Discovery 2023-11-09 Entry 2023-11-09 postgresql-server
< 16.1
< 15.5
< 14.10
< 13.13
< 12.17
< 11.22
CVE-2023-5869
https://www.postgresql.org/support/security/CVE-2023-5869/
|
fbb5a260-f00f-11ed-bbae-6cc21735f730 | postgresql-server -- CREATE SCHEMA ... schema elements defeats protective search_path changes
PostgreSQL Project reports
This enabled an attacker having database-level CREATE
privilege to execute arbitrary code as the bootstrap
superuser. Database owners have that right by default,
and explicit grants may extend it to other users.
Discovery 2023-05-11 Entry 2023-05-11 postgresql-server
< 15.3
< 14.8
< 13.11
< 12.15
< 11.20
CVE-2023-2454
https://www.postgresql.org/support/security/CVE-2023-2454/
|
a8864f8f-aa9e-11e1-a284-0023ae8e59f0 | databases/postgresql*-server -- crypt vulnerabilities
The PostgreSQL Global Development Group reports:
Today the PHP, OpenBSD and FreeBSD communities announced updates to
patch a security hole involving their crypt() hashing algorithms. This
issue is described in CVE-2012-2143. This vulnerability also affects a
minority of PostgreSQL users, and will be fixed in an update release on
June 4, 2012.
Affected users are those who use the crypt(text, text) function
with DES encryption in the optional pg_crypto module. Passwords
affected are those that contain characters that cannot be
represented with 7-bit ASCII. If a password contains a character
that has the most significant bit set (0x80), and DES encryption
is used, that character and all characters after it will be ignored.
Discovery 2012-05-30 Entry 2012-05-30 Modified 2012-05-31 postgresql-server
gt 8.3.* lt 8.3.18_1
gt 8.4.* lt 8.4.11_1
gt 9.0.* lt 9.0.7_2
gt 9.1.* lt 9.1.3_1
gt 9.2.* lt 9.2.b1_1
CVE-2012-2143
http://www.postgresql.org/about/news/1397/
http://git.postgresql.org/gitweb/?p=postgresql.git;a=patch;h=932ded2ed51e8333852e370c7a6dad75d9f236f9
|
bbb18fcb-7f0d-11ee-94b4-6cc21735f730 | postgresql-server -- Role pg_cancel_backend can signal certain superuser processes
PostgreSQL Project reports:
Documentation says the pg_cancel_backend role cannot
signal "a backend owned by a superuser". On the
contrary, it can signal background workers, including
the logical replication launcher. It can signal
autovacuum workers and the autovacuum launcher.
Signaling autovacuum workers and those two launchers
provides no meaningful exploit, so exploiting this
vulnerability requires a non-core extension with a
less-resilient background worker. For example, a
non-core background worker that does not auto-restart
would experience a denial of service with respect to
that particular background worker.
Discovery 2023-11-09 Entry 2023-11-09 postgresql-server
< 16.1
< 15.5
< 14.10
< 13.13
< 12.17
< 11.22
CVE-2023-5870
https://www.postgresql.org/support/security/CVE-2023-5870/
|
cfd2a634-3785-11ee-94b4-6cc21735f730 | postgresql-server -- Extension script @substitutions@ within quoting allow SQL injection
PostgreSQL Project reports
An extension script is vulnerable if it uses @extowner@,
@extschema@, or @extschema:...@ inside a quoting construct
(dollar quoting, '', or ""). No bundled extension is
vulnerable. Vulnerable uses do appear in a documentation
example and in non-bundled extensions. Hence, the attack
prerequisite is an administrator having installed files of a
vulnerable, trusted, non-bundled extension. Subject to that
prerequisite, this enables an attacker having database-level
CREATE privilege to execute arbitrary code as the bootstrap
superuser. PostgreSQL will block this attack in the core
server, so there's no need to modify individual extensions.
Discovery 2023-08-10 Entry 2023-08-10 postgresql-server
< 11.21
< 12.16
< 13.12
< 14.9
< 15.4
CVE-2023-39417
https://www.postgresql.org/support/security/CVE-2023-39417/
|
31f45d06-7f0e-11ee-94b4-6cc21735f730 | postgresql-server -- Memory disclosure in aggregate function calls
PostgreSQL Project reports:
Certain aggregate function calls receiving "unknown"-type
arguments could disclose bytes of server memory from the end of
the "unknown"-type value to the next zero byte. One typically
gets an "unknown"-type value via a string literal having no type
designation. We have not confirmed or ruled out viability of
attacks that arrange for presence of notable, confidential
information in disclosed bytes.
Discovery 2023-11-09 Entry 2023-11-09 postgresql-server
< 16.1
< 15.5
< 14.10
< 13.13
< 12.17
< 11.22
CVE-2023-5868
https://www.postgresql.org/support/security/CVE-2023-5868/
|
4b636f50-f011-11ed-bbae-6cc21735f730 | postgresql-server -- Row security policies disregard user ID changes after inlining
PostgreSQL Project reports
While CVE-2016-2193 fixed most interaction between row security and
user ID changes, it missed a scenario involving function
inlining. This leads to potentially incorrect policies being
applied in cases where role-specific policies are used and a
given query is planned under one role and then executed under
other roles. This scenario can happen under security definer
functions or when a common user and query is planned
initially and then re-used across multiple SET ROLEs.
Applying an incorrect policy may permit a user to complete
otherwise-forbidden reads and modifications. This affects
only databases that have used CREATE POLICY to define a row
security policy.
Discovery 2023-05-11 Entry 2023-05-11 postgresql-server
< 15.3
< 14.8
< 13.11
< 12.15
< 11.20
CVE-2023-2455
https://www.postgresql.org/support/security/CVE-2023-2455/
|
31f45d06-7f0e-11ee-94b4-6cc21735f730 | postgresql-server -- Memory disclosure in aggregate function calls
PostgreSQL Project reports:
Certain aggregate function calls receiving "unknown"-type
arguments could disclose bytes of server memory from the end of
the "unknown"-type value to the next zero byte. One typically
gets an "unknown"-type value via a string literal having no type
designation. We have not confirmed or ruled out viability of
attacks that arrange for presence of notable, confidential
information in disclosed bytes.
Discovery 2023-11-09 Entry 2023-11-09 postgresql-server
< 16.1
< 15.5
< 14.10
< 13.13
< 12.17
< 11.22
CVE-2023-5868
https://www.postgresql.org/support/security/CVE-2023-5868/
|
3f332f16-9b6b-11e2-8fe9-08002798f6ff | PostgreSQL -- anonymous remote access data corruption vulnerability
PostgreSQL project reports:
The PostgreSQL Global Development Group has released a security
update to all current versions of the PostgreSQL database system,
including versions 9.2.4, 9.1.9, 9.0.13, and 8.4.17. This update
fixes a high-exposure security vulnerability in versions 9.0 and
later. All users of the affected versions are strongly urged to apply
the update *immediately*.
A major security issue (for versions 9.x only) fixed in this release,
[CVE-2013-1899](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1899),
makes it possible for a connection request containing a database name
that begins with "-" to be crafted that can damage or destroy files
within a server's data directory. Anyone with access to the port the
PostgreSQL server listens on can initiate this request. This issue was
discovered by Mitsumasa Kondo and Kyotaro Horiguchi of NTT Open Source
Software Center.
Two lesser security fixes are also included in this release:
[CVE-2013-1900](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1900),
wherein random numbers generated by contrib/pgcrypto functions may be
easy for another database user to guess (all versions), and
[CVE-2013-1901](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1901),
which mistakenly allows an unprivileged user to run commands that
could interfere with in-progress backups (for versions 9.x only).
Discovery 2013-04-04 Entry 2013-04-04 postgresql-server
ge 8.3.0 lt 8.3.21_1
ge 8.4.0 lt 8.4.17
ge 9.0.0 lt 9.0.13
ge 9.1.0 lt 9.1.9
ge 9.2.0 lt 9.2.4
CVE-2013-1899
CVE-2013-1900
CVE-2013-1901
|
4b636f50-f011-11ed-bbae-6cc21735f730 | postgresql-server -- Row security policies disregard user ID changes after inlining
PostgreSQL Project reports
While CVE-2016-2193 fixed most interaction between row security and
user ID changes, it missed a scenario involving function
inlining. This leads to potentially incorrect policies being
applied in cases where role-specific policies are used and a
given query is planned under one role and then executed under
other roles. This scenario can happen under security definer
functions or when a common user and query is planned
initially and then re-used across multiple SET ROLEs.
Applying an incorrect policy may permit a user to complete
otherwise-forbidden reads and modifications. This affects
only databases that have used CREATE POLICY to define a row
security policy.
Discovery 2023-05-11 Entry 2023-05-11 postgresql-server
< 15.3
< 14.8
< 13.11
< 12.15
< 11.20
CVE-2023-2455
https://www.postgresql.org/support/security/CVE-2023-2455/
|
19e6dd1b-c6a5-11ee-9cd0-6cc21735f730 | postgresql-server -- non-owner REFRESH MATERIALIZED VIEW CONCURRENTLY executes arbitrary SQL
PostgreSQL Project reports:
One step of a concurrent refresh command was run under
weak security restrictions. If a materialized view's
owner could persuade a superuser or other
high-privileged user to perform a concurrent refresh on
that view, the view's owner could control code executed
with the privileges of the user running REFRESH. The fix
for the vulnerability makes is so that all
user-determined code is run as the view's owner, as
expected.
Discovery 2024-02-08 Entry 2024-02-08 postgresql-server
< 15.6
< 14.11
< 13.14
< 12.18
CVE-2024-0985
https://www.postgresql.org/support/security/CVE-2024-0985/
|
bbb18fcb-7f0d-11ee-94b4-6cc21735f730 | postgresql-server -- Role pg_cancel_backend can signal certain superuser processes
PostgreSQL Project reports:
Documentation says the pg_cancel_backend role cannot
signal "a backend owned by a superuser". On the
contrary, it can signal background workers, including
the logical replication launcher. It can signal
autovacuum workers and the autovacuum launcher.
Signaling autovacuum workers and those two launchers
provides no meaningful exploit, so exploiting this
vulnerability requires a non-core extension with a
less-resilient background worker. For example, a
non-core background worker that does not auto-restart
would experience a denial of service with respect to
that particular background worker.
Discovery 2023-11-09 Entry 2023-11-09 postgresql-server
< 16.1
< 15.5
< 14.10
< 13.13
< 12.17
< 11.22
CVE-2023-5870
https://www.postgresql.org/support/security/CVE-2023-5870/
|
0f445859-7f0e-11ee-94b4-6cc21735f730 | postgresql-server -- Buffer overrun from integer overflow in array modification
PostgreSQL Project reports:
While modifying certain SQL array values, missing
overflow checks let authenticated database users write
arbitrary bytes to a memory area that facilitates
arbitrary code execution. Missing overflow checks also
let authenticated database users read a wide area of
server memory. The CVE-2021-32027 fix covered some
attacks of this description, but it missed others.
Discovery 2023-11-09 Entry 2023-11-09 postgresql-server
< 16.1
< 15.5
< 14.10
< 13.13
< 12.17
< 11.22
CVE-2023-5869
https://www.postgresql.org/support/security/CVE-2023-5869/
|
19e6dd1b-c6a5-11ee-9cd0-6cc21735f730 | postgresql-server -- non-owner REFRESH MATERIALIZED VIEW CONCURRENTLY executes arbitrary SQL
PostgreSQL Project reports:
One step of a concurrent refresh command was run under
weak security restrictions. If a materialized view's
owner could persuade a superuser or other
high-privileged user to perform a concurrent refresh on
that view, the view's owner could control code executed
with the privileges of the user running REFRESH. The fix
for the vulnerability makes is so that all
user-determined code is run as the view's owner, as
expected.
Discovery 2024-02-08 Entry 2024-02-08 postgresql-server
< 15.6
< 14.11
< 13.14
< 12.18
CVE-2024-0985
https://www.postgresql.org/support/security/CVE-2024-0985/
|
bbb18fcb-7f0d-11ee-94b4-6cc21735f730 | postgresql-server -- Role pg_cancel_backend can signal certain superuser processes
PostgreSQL Project reports:
Documentation says the pg_cancel_backend role cannot
signal "a backend owned by a superuser". On the
contrary, it can signal background workers, including
the logical replication launcher. It can signal
autovacuum workers and the autovacuum launcher.
Signaling autovacuum workers and those two launchers
provides no meaningful exploit, so exploiting this
vulnerability requires a non-core extension with a
less-resilient background worker. For example, a
non-core background worker that does not auto-restart
would experience a denial of service with respect to
that particular background worker.
Discovery 2023-11-09 Entry 2023-11-09 postgresql-server
< 16.1
< 15.5
< 14.10
< 13.13
< 12.17
< 11.22
CVE-2023-5870
https://www.postgresql.org/support/security/CVE-2023-5870/
|
fbb5a260-f00f-11ed-bbae-6cc21735f730 | postgresql-server -- CREATE SCHEMA ... schema elements defeats protective search_path changes
PostgreSQL Project reports
This enabled an attacker having database-level CREATE
privilege to execute arbitrary code as the bootstrap
superuser. Database owners have that right by default,
and explicit grants may extend it to other users.
Discovery 2023-05-11 Entry 2023-05-11 postgresql-server
< 15.3
< 14.8
< 13.11
< 12.15
< 11.20
CVE-2023-2454
https://www.postgresql.org/support/security/CVE-2023-2454/
|
0f445859-7f0e-11ee-94b4-6cc21735f730 | postgresql-server -- Buffer overrun from integer overflow in array modification
PostgreSQL Project reports:
While modifying certain SQL array values, missing
overflow checks let authenticated database users write
arbitrary bytes to a memory area that facilitates
arbitrary code execution. Missing overflow checks also
let authenticated database users read a wide area of
server memory. The CVE-2021-32027 fix covered some
attacks of this description, but it missed others.
Discovery 2023-11-09 Entry 2023-11-09 postgresql-server
< 16.1
< 15.5
< 14.10
< 13.13
< 12.17
< 11.22
CVE-2023-5869
https://www.postgresql.org/support/security/CVE-2023-5869/
|
31f45d06-7f0e-11ee-94b4-6cc21735f730 | postgresql-server -- Memory disclosure in aggregate function calls
PostgreSQL Project reports:
Certain aggregate function calls receiving "unknown"-type
arguments could disclose bytes of server memory from the end of
the "unknown"-type value to the next zero byte. One typically
gets an "unknown"-type value via a string literal having no type
designation. We have not confirmed or ruled out viability of
attacks that arrange for presence of notable, confidential
information in disclosed bytes.
Discovery 2023-11-09 Entry 2023-11-09 postgresql-server
< 16.1
< 15.5
< 14.10
< 13.13
< 12.17
< 11.22
CVE-2023-5868
https://www.postgresql.org/support/security/CVE-2023-5868/
|
cfd2a634-3785-11ee-94b4-6cc21735f730 | postgresql-server -- Extension script @substitutions@ within quoting allow SQL injection
PostgreSQL Project reports
An extension script is vulnerable if it uses @extowner@,
@extschema@, or @extschema:...@ inside a quoting construct
(dollar quoting, '', or ""). No bundled extension is
vulnerable. Vulnerable uses do appear in a documentation
example and in non-bundled extensions. Hence, the attack
prerequisite is an administrator having installed files of a
vulnerable, trusted, non-bundled extension. Subject to that
prerequisite, this enables an attacker having database-level
CREATE privilege to execute arbitrary code as the bootstrap
superuser. PostgreSQL will block this attack in the core
server, so there's no need to modify individual extensions.
Discovery 2023-08-10 Entry 2023-08-10 postgresql-server
< 11.21
< 12.16
< 13.12
< 14.9
< 15.4
CVE-2023-39417
https://www.postgresql.org/support/security/CVE-2023-39417/
|
cfd2a634-3785-11ee-94b4-6cc21735f730 | postgresql-server -- Extension script @substitutions@ within quoting allow SQL injection
PostgreSQL Project reports
An extension script is vulnerable if it uses @extowner@,
@extschema@, or @extschema:...@ inside a quoting construct
(dollar quoting, '', or ""). No bundled extension is
vulnerable. Vulnerable uses do appear in a documentation
example and in non-bundled extensions. Hence, the attack
prerequisite is an administrator having installed files of a
vulnerable, trusted, non-bundled extension. Subject to that
prerequisite, this enables an attacker having database-level
CREATE privilege to execute arbitrary code as the bootstrap
superuser. PostgreSQL will block this attack in the core
server, so there's no need to modify individual extensions.
Discovery 2023-08-10 Entry 2023-08-10 postgresql-server
< 11.21
< 12.16
< 13.12
< 14.9
< 15.4
CVE-2023-39417
https://www.postgresql.org/support/security/CVE-2023-39417/
|
19e6dd1b-c6a5-11ee-9cd0-6cc21735f730 | postgresql-server -- non-owner REFRESH MATERIALIZED VIEW CONCURRENTLY executes arbitrary SQL
PostgreSQL Project reports:
One step of a concurrent refresh command was run under
weak security restrictions. If a materialized view's
owner could persuade a superuser or other
high-privileged user to perform a concurrent refresh on
that view, the view's owner could control code executed
with the privileges of the user running REFRESH. The fix
for the vulnerability makes is so that all
user-determined code is run as the view's owner, as
expected.
Discovery 2024-02-08 Entry 2024-02-08 postgresql-server
< 15.6
< 14.11
< 13.14
< 12.18
CVE-2024-0985
https://www.postgresql.org/support/security/CVE-2024-0985/
|
07234e78-e899-11e1-b38d-0023ae8e59f0 | databases/postgresql*-server -- multiple vulnerabilities
The PostgreSQL Global Development Group reports:
The PostgreSQL Global Development Group today released
security updates for all active branches of the PostgreSQL
database system, including versions 9.1.5, 9.0.9, 8.4.13 and
8.3.20. This update patches security holes associated with
libxml2 and libxslt, similar to those affecting other open
source projects. All users are urged to update their
installations at the first available opportunity
Users who are relying on the built-in XML functionality to
validate external DTDs will need to implement a workaround, as
this security patch disables that functionality. Users who are
using xslt_process() to fetch documents or stylesheets from
external URLs will no longer be able to do so. The PostgreSQL
project regrets the need to disable both of these features in
order to maintain our security standards. These security issues
with XML are substantially similar to issues patched recently
by the Webkit (CVE-2011-1774), XMLsec (CVE-2011-1425) and PHP5
(CVE-2012-0057) projects.
Discovery 2012-08-17 Entry 2012-08-17 postgresql-server
gt 8.3.* lt 8.3.20
gt 8.4.* lt 8.4.13
gt 9.0.* lt 9.0.9
gt 9.1.* lt 9.1.5
CVE-2012-3488
CVE-2012-3489
http://www.postgresql.org/about/news/1407/
|
fbb5a260-f00f-11ed-bbae-6cc21735f730 | postgresql-server -- CREATE SCHEMA ... schema elements defeats protective search_path changes
PostgreSQL Project reports
This enabled an attacker having database-level CREATE
privilege to execute arbitrary code as the bootstrap
superuser. Database owners have that right by default,
and explicit grants may extend it to other users.
Discovery 2023-05-11 Entry 2023-05-11 postgresql-server
< 15.3
< 14.8
< 13.11
< 12.15
< 11.20
CVE-2023-2454
https://www.postgresql.org/support/security/CVE-2023-2454/
|
cfd2a634-3785-11ee-94b4-6cc21735f730 | postgresql-server -- Extension script @substitutions@ within quoting allow SQL injection
PostgreSQL Project reports
An extension script is vulnerable if it uses @extowner@,
@extschema@, or @extschema:...@ inside a quoting construct
(dollar quoting, '', or ""). No bundled extension is
vulnerable. Vulnerable uses do appear in a documentation
example and in non-bundled extensions. Hence, the attack
prerequisite is an administrator having installed files of a
vulnerable, trusted, non-bundled extension. Subject to that
prerequisite, this enables an attacker having database-level
CREATE privilege to execute arbitrary code as the bootstrap
superuser. PostgreSQL will block this attack in the core
server, so there's no need to modify individual extensions.
Discovery 2023-08-10 Entry 2023-08-10 postgresql-server
< 11.21
< 12.16
< 13.12
< 14.9
< 15.4
CVE-2023-39417
https://www.postgresql.org/support/security/CVE-2023-39417/
|
bbb18fcb-7f0d-11ee-94b4-6cc21735f730 | postgresql-server -- Role pg_cancel_backend can signal certain superuser processes
PostgreSQL Project reports:
Documentation says the pg_cancel_backend role cannot
signal "a backend owned by a superuser". On the
contrary, it can signal background workers, including
the logical replication launcher. It can signal
autovacuum workers and the autovacuum launcher.
Signaling autovacuum workers and those two launchers
provides no meaningful exploit, so exploiting this
vulnerability requires a non-core extension with a
less-resilient background worker. For example, a
non-core background worker that does not auto-restart
would experience a denial of service with respect to
that particular background worker.
Discovery 2023-11-09 Entry 2023-11-09 postgresql-server
< 16.1
< 15.5
< 14.10
< 13.13
< 12.17
< 11.22
CVE-2023-5870
https://www.postgresql.org/support/security/CVE-2023-5870/
|
31f45d06-7f0e-11ee-94b4-6cc21735f730 | postgresql-server -- Memory disclosure in aggregate function calls
PostgreSQL Project reports:
Certain aggregate function calls receiving "unknown"-type
arguments could disclose bytes of server memory from the end of
the "unknown"-type value to the next zero byte. One typically
gets an "unknown"-type value via a string literal having no type
designation. We have not confirmed or ruled out viability of
attacks that arrange for presence of notable, confidential
information in disclosed bytes.
Discovery 2023-11-09 Entry 2023-11-09 postgresql-server
< 16.1
< 15.5
< 14.10
< 13.13
< 12.17
< 11.22
CVE-2023-5868
https://www.postgresql.org/support/security/CVE-2023-5868/
|
4b636f50-f011-11ed-bbae-6cc21735f730 | postgresql-server -- Row security policies disregard user ID changes after inlining
PostgreSQL Project reports
While CVE-2016-2193 fixed most interaction between row security and
user ID changes, it missed a scenario involving function
inlining. This leads to potentially incorrect policies being
applied in cases where role-specific policies are used and a
given query is planned under one role and then executed under
other roles. This scenario can happen under security definer
functions or when a common user and query is planned
initially and then re-used across multiple SET ROLEs.
Applying an incorrect policy may permit a user to complete
otherwise-forbidden reads and modifications. This affects
only databases that have used CREATE POLICY to define a row
security policy.
Discovery 2023-05-11 Entry 2023-05-11 postgresql-server
< 15.3
< 14.8
< 13.11
< 12.15
< 11.20
CVE-2023-2455
https://www.postgresql.org/support/security/CVE-2023-2455/
|
0f445859-7f0e-11ee-94b4-6cc21735f730 | postgresql-server -- Buffer overrun from integer overflow in array modification
PostgreSQL Project reports:
While modifying certain SQL array values, missing
overflow checks let authenticated database users write
arbitrary bytes to a memory area that facilitates
arbitrary code execution. Missing overflow checks also
let authenticated database users read a wide area of
server memory. The CVE-2021-32027 fix covered some
attacks of this description, but it missed others.
Discovery 2023-11-09 Entry 2023-11-09 postgresql-server
< 16.1
< 15.5
< 14.10
< 13.13
< 12.17
< 11.22
CVE-2023-5869
https://www.postgresql.org/support/security/CVE-2023-5869/
|
d53c30c1-0d7b-11ef-ba02-6cc21735f730 | PostgreSQL server -- Potentially allowing authenicated database users to see data that they shouldn't.
PostgreSQL project reports:
A security vulnerability was found in the system views pg_stats_ext
and pg_stats_ext_exprs, potentially allowing authenticated database
users to see data they shouldn't. If this is of concern in your
installation, run the SQL script /usr/local/share/postgresql/fix-CVE-2024-4317.sql
for each of your databases. See the link for details.
Discovery 2024-05-09 Entry 2024-05-09 postgresql-server
< 16.3
< 15.7
< 14.12
CVE-2024-4317
https://www.postgresql.org/support/security/CVE-2024-4317/
|
0f445859-7f0e-11ee-94b4-6cc21735f730 | postgresql-server -- Buffer overrun from integer overflow in array modification
PostgreSQL Project reports:
While modifying certain SQL array values, missing
overflow checks let authenticated database users write
arbitrary bytes to a memory area that facilitates
arbitrary code execution. Missing overflow checks also
let authenticated database users read a wide area of
server memory. The CVE-2021-32027 fix covered some
attacks of this description, but it missed others.
Discovery 2023-11-09 Entry 2023-11-09 postgresql-server
< 16.1
< 15.5
< 14.10
< 13.13
< 12.17
< 11.22
CVE-2023-5869
https://www.postgresql.org/support/security/CVE-2023-5869/
|