ID CVE-2009-3229
Summary The core server component in PostgreSQL 8.4 before 8.4.1, 8.3 before 8.3.8, and 8.2 before 8.2.14 allows remote authenticated users to cause a denial of service (backend shutdown) by "re-LOAD-ing" libraries from a certain plugins directory.
References
Vulnerable Configurations
  • cpe:2.3:a:postgresql:postgresql:8.2:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:8.2:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:8.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:8.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:8.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:8.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:8.2.3:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:8.2.3:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:8.2.4:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:8.2.4:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:8.2.5:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:8.2.5:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:8.2.6:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:8.2.6:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:8.2.7:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:8.2.7:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:8.2.8:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:8.2.8:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:8.2.9:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:8.2.9:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:8.2.10:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:8.2.10:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:8.2.11:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:8.2.11:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:8.2.12:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:8.2.12:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:8.2.13:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:8.2.13:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:8.3:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:8.3:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:8.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:8.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:8.3.2:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:8.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:8.3.3:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:8.3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:8.3.4:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:8.3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:8.3.5:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:8.3.5:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:8.3.6:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:8.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:8.3.7:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:8.3.7:*:*:*:*:*:*:*
  • cpe:2.3:a:postgresql:postgresql:8.4:*:*:*:*:*:*:*
    cpe:2.3:a:postgresql:postgresql:8.4:*:*:*:*:*:*:*
CVSS
Base: 4.0 (as of 10-10-2018 - 19:43)
Impact:
Exploitability:
CWE NVD-CWE-noinfo
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW SINGLE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
cvss-vector via4 AV:N/AC:L/Au:S/C:N/I:N/A:P
redhat via4
rpms
  • httpd-0:2.2.13-2.el5s2
  • httpd-debuginfo-0:2.2.13-2.el5s2
  • httpd-devel-0:2.2.13-2.el5s2
  • httpd-manual-0:2.2.13-2.el5s2
  • mod_ssl-1:2.2.13-2.el5s2
  • mysql-0:5.0.84-2.el5s2
  • mysql-bench-0:5.0.84-2.el5s2
  • mysql-cluster-0:5.0.84-2.el5s2
  • mysql-debuginfo-0:5.0.84-2.el5s2
  • mysql-devel-0:5.0.84-2.el5s2
  • mysql-libs-0:5.0.84-2.el5s2
  • mysql-server-0:5.0.84-2.el5s2
  • mysql-test-0:5.0.84-2.el5s2
  • perl-DBD-MySQL-0:4.012-1.el5s2
  • perl-DBD-MySQL-debuginfo-0:4.012-1.el5s2
  • perl-DBI-0:1.609-1.el5s2
  • perl-DBI-debuginfo-0:1.609-1.el5s2
  • php-0:5.2.10-1.el5s2
  • php-bcmath-0:5.2.10-1.el5s2
  • php-cli-0:5.2.10-1.el5s2
  • php-common-0:5.2.10-1.el5s2
  • php-dba-0:5.2.10-1.el5s2
  • php-debuginfo-0:5.2.10-1.el5s2
  • php-devel-0:5.2.10-1.el5s2
  • php-gd-0:5.2.10-1.el5s2
  • php-imap-0:5.2.10-1.el5s2
  • php-ldap-0:5.2.10-1.el5s2
  • php-mbstring-0:5.2.10-1.el5s2
  • php-mysql-0:5.2.10-1.el5s2
  • php-ncurses-0:5.2.10-1.el5s2
  • php-odbc-0:5.2.10-1.el5s2
  • php-pdo-0:5.2.10-1.el5s2
  • php-pear-1:1.8.1-2.el5s2
  • php-pgsql-0:5.2.10-1.el5s2
  • php-snmp-0:5.2.10-1.el5s2
  • php-soap-0:5.2.10-1.el5s2
  • php-xml-0:5.2.10-1.el5s2
  • php-xmlrpc-0:5.2.10-1.el5s2
  • postgresql-0:8.2.14-1.el5s2
  • postgresql-contrib-0:8.2.14-1.el5s2
  • postgresql-debuginfo-0:8.2.14-1.el5s2
  • postgresql-devel-0:8.2.14-1.el5s2
  • postgresql-docs-0:8.2.14-1.el5s2
  • postgresql-jdbc-0:8.2.510-1jpp.el5s2
  • postgresql-jdbc-debuginfo-0:8.2.510-1jpp.el5s2
  • postgresql-libs-0:8.2.14-1.el5s2
  • postgresql-plperl-0:8.2.14-1.el5s2
  • postgresql-plpython-0:8.2.14-1.el5s2
  • postgresql-pltcl-0:8.2.14-1.el5s2
  • postgresql-python-0:8.2.14-1.el5s2
  • postgresql-server-0:8.2.14-1.el5s2
  • postgresql-tcl-0:8.2.14-1.el5s2
  • postgresql-test-0:8.2.14-1.el5s2
refmap via4
bid 36314
bugtraq 20100307 rPSA-2010-0012-1 postgresql postgresql-contrib postgresql-server
confirm
debian DSA-1900
fedora
  • FEDORA-2009-9473
  • FEDORA-2009-9474
hp
  • HPSBMU02781
  • SSRT100617
secunia
  • 36660
  • 36727
  • 36800
  • 36837
sunalert 270408
suse
  • SUSE-SR:2009:016
  • SUSE-SR:2009:017
ubuntu USN-834-1
statements via4
contributor Tomas Hoger
lastmodified 2009-09-24
organization Red Hat
statement Not vulnerable. This issue did not affect the versions of PostgreSQL as shipped with Red Hat Enterprise Linux 3, 4, or 5. In PostgreSQL versions prior to 8.2, only database administrator was able to LOAD additional plugins and use it to cause server crash. However, this does not bypass trust boundary, so its not a security flaw for older PostgreSQL versions. Additionally, no plugins are shipped in Red Hat PostgreSQL packages by default. This issue was addressed in Red Hat Application Stack v2 via https://rhn.redhat.com/errata/RHSA-2009-1461.html .
Last major update 10-10-2018 - 19:43
Published 17-09-2009 - 10:30
Last modified 10-10-2018 - 19:43
Back to Top