Risk | Low |
Patch available | YES |
Number of vulnerabilities | 1 |
CVE-ID | CVE-2013-0255 |
CWE-ID | CWE-20 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
PostgreSQL Server applications / Database software |
Vendor | PostgreSQL Global Development Group |
Security Bulletin
This security bulletin contains one low risk vulnerability.
EUVDB-ID: #VU32715
Risk: Low
CVSSv3.1: 3.2 [CVSS:3.1/CVSS:3.1/AV:N/AC:L/PR:/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2013-0255
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote #AU# to perform a denial of service (DoS) attack.
PostgreSQL 9.2.x before 9.2.3, 9.1.x before 9.1.8, 9.0.x before 9.0.12, 8.4.x before 8.4.16, and 8.3.x before 8.3.23 does not properly declare the enum_recv function in backend/utils/adt/enum.c, which causes it to be invoked with incorrect arguments and allows remote authenticated users to cause a denial of service (server crash) or read sensitive process memory via a crafted SQL command, which triggers an array index error and an out-of-bounds read.
MitigationInstall update from vendor's website.
Vulnerable software versionsPostgreSQL: 9.2.0 - 9.2.2
External linkshttp://lists.fedoraproject.org/pipermail/package-announce/2013-February/098586.html
http://lists.opensuse.org/opensuse-updates/2013-02/msg00059.html
http://lists.opensuse.org/opensuse-updates/2013-02/msg00060.html
http://osvdb.org/89935
http://rhn.redhat.com/errata/RHSA-2013-1475.html
http://secunia.com/advisories/51923
http://secunia.com/advisories/52819
http://securitytracker.com/id?1028092
http://www.debian.org/security/2013/dsa-2630
http://www.mandriva.com/security/advisories?name=MDVSA-2013:142
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
http://www.postgresql.org/docs/8.3/static/release-8-3-23.html
http://www.postgresql.org/docs/8.4/static/release-8-4-16.html
http://www.postgresql.org/docs/9.0/static/release-9-0-12.html
http://www.postgresql.org/docs/9.1/static/release-9-1-8.html
http://www.postgresql.org/docs/9.2/static/release-9-2-3.html
http://www.securityfocus.com/bid/57844
http://www.ubuntu.com/usn/USN-1717-1
http://blogs.oracle.com/sunsecurity/entry/cve_2013_0255_array_index
http://bugzilla.redhat.com/show_bug.cgi?id=907892
http://exchange.xforce.ibmcloud.com/vulnerabilities/81917
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.