Detections
Analytics
PostgreSQL < 8.3.19 / 8.4.12 / 9.0.8 / 9.1.4 Multiple Vulnerabilities
medium Nessus Network Monitor Plugin ID 6816
Synopsis
The remote database server is affected by multiple vulnerabilities.Description
Versions of PostgreSQL earlier than 8.3.19/ 8.4.12 / 9.0.8 / 9.1.4 are potentially affected by multiple vulnerabilities. It therefore is affected by the following vulnerabilities :- Passwords containing the byte 0x80 passed to the crypt() function in pgcrypto are incorrectly truncated if DES encryption was used. (CVE-2012-2143)
- SECURITY_DEFINER and SET attributes on procedural call handlers are not ignored and can be used to crash the server. (CVE-2012-2655)
Solution
Upgrade to PostgreSQL 8.3.19 / 8.4.12 / 9.0.8 / 9.1.4 or later.See Also
http://www.postgresql.org/about/news/1398
http://www.postgresql.org/docs/8.3/static/release-8-3-19.html
http://www.postgresql.org/docs/8.4/static/release-8-4-12.html
http://www.postgresql.org/docs/9.0/static/release-9-0-8.html
http://www.postgresql.org/docs/9.1/static/release-9-1-4.html
Plugin Details
Severity: Medium
ID: 6816
Family: Database
Published: 5/14/2013
Updated: 3/6/2019
Nessus ID: 63353
Risk Information
VPR
Risk Factor: Medium
Score: 6.5
CVSS v2
Risk Factor: Medium
Base Score: 6.8
Temporal Score: 5.9
Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:C
CVSS v3
Risk Factor: Medium
Base Score: 6.5
Temporal Score: 6.2
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:postgresql:postgresql
Patch Publication Date: 5/30/2012
Vulnerability Publication Date: 5/31/2012
Reference Information
CVE: CVE-2012-2143, CVE-2012-2655