Risk | Low |
Patch available | YES |
Number of vulnerabilities | 8 |
CVE-ID | CVE-2014-2669 CVE-2014-0061 CVE-2014-0062 CVE-2014-0063 CVE-2014-0064 CVE-2014-0065 CVE-2014-0066 CVE-2014-0060 |
CWE-ID | CWE-20 CWE-264 CWE-362 CWE-121 CWE-119 CWE-476 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
PostgreSQL Server applications / Database software |
Vendor | PostgreSQL Global Development Group |
Security Bulletin
This security bulletin contains information about 8 vulnerabilities.
EUVDB-ID: #VU41872
Risk: Low
CVSSv3.1: 3 [CVSS:3.1/AV:N/AC:L/PR:/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2014-2669
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote #AU# to read and manipulate data.
Multiple integer overflows in contrib/hstore/hstore_io.c in PostgreSQL 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to have unspecified impact via vectors related to the (1) hstore_recv, (2) hstore_from_arrays, and (3) hstore_from_array functions in contrib/hstore/hstore_io.c; and the (4) hstoreArrayToPairs function in contrib/hstore/hstore_op.c, which triggers a buffer overflow. NOTE: this issue was SPLIT from CVE-2014-0064 because it has a different set of affected versions.
MitigationInstall update from vendor's website.
Vulnerable software versionsPostgreSQL: 9.0 - 9.3.2
External linkshttp://rhn.redhat.com/errata/RHSA-2014-0221.html
http://rhn.redhat.com/errata/RHSA-2014-0469.html
http://wiki.postgresql.org/wiki/20140220securityrelease
http://www.debian.org/security/2014/dsa-2864
http://www.debian.org/security/2014/dsa-2865
http://www.postgresql.org/about/news/1506/
http://www.postgresql.org/support/security/
http://github.com/postgres/postgres/commit/31400a673325147e1205326008e32135a78b4d8a
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU41873
Risk: Low
CVSSv3.1: 3 [CVSS:3.1/AV:N/AC:L/PR:/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2014-0061
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote #AU# to read and manipulate data.
The validator functions for the procedural languages (PLs) in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to gain privileges via a function that is (1) defined in another language or (2) not allowed to be directly called by the user due to permissions.
MitigationInstall update from vendor's website.
Vulnerable software versionsPostgreSQL: 8.4.1 - 9.3.2
External linkshttp://archives.neohapsis.com/archives/bugtraq/2014-10/0103.html
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
http://lists.opensuse.org/opensuse-updates/2014-03/msg00018.html
http://lists.opensuse.org/opensuse-updates/2014-03/msg00038.html
http://rhn.redhat.com/errata/RHSA-2014-0211.html
http://rhn.redhat.com/errata/RHSA-2014-0221.html
http://rhn.redhat.com/errata/RHSA-2014-0249.html
http://rhn.redhat.com/errata/RHSA-2014-0469.html
http://secunia.com/advisories/61307
http://support.apple.com/kb/HT6448
http://wiki.postgresql.org/wiki/20140220securityrelease
http://www.debian.org/security/2014/dsa-2864
http://www.debian.org/security/2014/dsa-2865
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
http://www.postgresql.org/about/news/1506/
http://www.ubuntu.com/usn/USN-2120-1
http://support.apple.com/kb/HT6536
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU41874
Risk: Low
CVSSv3.1: 2.3 [CVSS:3.1/AV:N/AC:L/PR:/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2014-0062
Exploit availability: No
DescriptionThe vulnerability allows a remote #AU# to read and manipulate data.
Race condition in the (1) CREATE INDEX and (2) unspecified ALTER TABLE commands in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allows remote authenticated users to create an unauthorized index or read portions of unauthorized tables by creating or deleting a table with the same name during the timing window.
MitigationInstall update from vendor's website.
Vulnerable software versionsPostgreSQL: 8.4.1 - 9.3.2
External linkshttp://archives.neohapsis.com/archives/bugtraq/2014-10/0103.html
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
http://lists.opensuse.org/opensuse-updates/2014-03/msg00018.html
http://lists.opensuse.org/opensuse-updates/2014-03/msg00038.html
http://rhn.redhat.com/errata/RHSA-2014-0211.html
http://rhn.redhat.com/errata/RHSA-2014-0221.html
http://rhn.redhat.com/errata/RHSA-2014-0249.html
http://rhn.redhat.com/errata/RHSA-2014-0469.html
http://secunia.com/advisories/61307
http://support.apple.com/kb/HT6448
http://wiki.postgresql.org/wiki/20140220securityrelease
http://www.debian.org/security/2014/dsa-2864
http://www.debian.org/security/2014/dsa-2865
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
http://www.postgresql.org/about/news/1506/
http://www.securityfocus.com/bid/65727
http://www.ubuntu.com/usn/USN-2120-1
http://support.apple.com/kb/HT6536
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU41875
Risk: Low
CVSSv3.1: 3.1 [CVSS:3.1/AV:N/AC:L/PR:/UI:N/S:U/C:L/I:L/A:L/E:U/RL:U/RC:C]
CVE-ID: CVE-2014-0063
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing vectors related to an incorrect MAXDATELEN constant and datetime values involving (1) intervals, (2) timestamps, or (3) timezones, a different vulnerability than CVE-2014-0065. A remote unauthenticated attacker can trigger stack-based buffer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall update from vendor's website.
Vulnerable software versionsPostgreSQL: 8.4.1 - 9.3.2
External linkshttp://archives.neohapsis.com/archives/bugtraq/2014-10/0103.html
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
http://lists.opensuse.org/opensuse-updates/2014-03/msg00018.html
http://lists.opensuse.org/opensuse-updates/2014-03/msg00038.html
http://rhn.redhat.com/errata/RHSA-2014-0211.html
http://rhn.redhat.com/errata/RHSA-2014-0221.html
http://rhn.redhat.com/errata/RHSA-2014-0249.html
http://rhn.redhat.com/errata/RHSA-2014-0469.html
http://secunia.com/advisories/61307
http://support.apple.com/kb/HT6448
http://wiki.postgresql.org/wiki/20140220securityrelease
http://www.debian.org/security/2014/dsa-2864
http://www.debian.org/security/2014/dsa-2865
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
http://www.postgresql.org/about/news/1506/
http://www.postgresql.org/support/security/
http://www.securityfocus.com/bid/65719
http://www.ubuntu.com/usn/USN-2120-1
http://bugzilla.redhat.com/show_bug.cgi?id=1065226
http://github.com/postgres/postgres/commit/4318daecc959886d001a6e79c6ea853e8b1dfb4b
http://support.apple.com/kb/HT6536
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU41876
Risk: Low
CVSSv3.1: 3 [CVSS:3.1/AV:N/AC:L/PR:/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2014-0064
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote #AU# to read and manipulate data.
Multiple integer overflows in the path_in and other unspecified functions in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to have unspecified impact and attack vectors, which trigger a buffer overflow. NOTE: this identifier has been SPLIT due to different affected versions; use CVE-2014-2669 for the hstore vector.
MitigationInstall update from vendor's website.
Vulnerable software versionsPostgreSQL: 8.4.1 - 9.3.2
External linkshttp://archives.neohapsis.com/archives/bugtraq/2014-10/0103.html
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
http://lists.opensuse.org/opensuse-updates/2014-03/msg00018.html
http://lists.opensuse.org/opensuse-updates/2014-03/msg00038.html
http://rhn.redhat.com/errata/RHSA-2014-0211.html
http://rhn.redhat.com/errata/RHSA-2014-0221.html
http://rhn.redhat.com/errata/RHSA-2014-0249.html
http://rhn.redhat.com/errata/RHSA-2014-0469.html
http://secunia.com/advisories/61307
http://support.apple.com/kb/HT6448
http://wiki.postgresql.org/wiki/20140220securityrelease
http://www.debian.org/security/2014/dsa-2864
http://www.debian.org/security/2014/dsa-2865
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
http://www.postgresql.org/about/news/1506/
http://www.postgresql.org/support/security/
http://www.securityfocus.com/bid/65725
http://www.ubuntu.com/usn/USN-2120-1
http://bugzilla.redhat.com/show_bug.cgi?id=1065230
http://github.com/postgres/postgres/commit/31400a673325147e1205326008e32135a78b4d8a
http://support.apple.com/kb/HT6536
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU41877
Risk: Low
CVSSv3.1: 3 [CVSS:3.1/AV:N/AC:L/PR:/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2014-0065
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote #AU# to read and manipulate data.
Multiple buffer overflows in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to have unspecified impact and attack vectors, a different vulnerability than CVE-2014-0063.
MitigationInstall update from vendor's website.
Vulnerable software versionsPostgreSQL: 8.4.1 - 9.3.2
External linkshttp://archives.neohapsis.com/archives/bugtraq/2014-10/0103.html
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
http://lists.opensuse.org/opensuse-updates/2014-03/msg00018.html
http://lists.opensuse.org/opensuse-updates/2014-03/msg00038.html
http://rhn.redhat.com/errata/RHSA-2014-0211.html
http://rhn.redhat.com/errata/RHSA-2014-0221.html
http://rhn.redhat.com/errata/RHSA-2014-0249.html
http://rhn.redhat.com/errata/RHSA-2014-0469.html
http://support.apple.com/kb/HT6448
http://wiki.postgresql.org/wiki/20140220securityrelease
http://www.debian.org/security/2014/dsa-2864
http://www.debian.org/security/2014/dsa-2865
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
http://www.postgresql.org/about/news/1506/
http://www.securityfocus.com/bid/65731
http://www.ubuntu.com/usn/USN-2120-1
http://support.apple.com/kb/HT6536
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU41878
Risk: Low
CVSSv3.1: 1.4 [CVSS:3.1/AV:N/AC:L/PR:/UI:N/S:U/C:N/I:N/A:L/E:U/RL:U/RC:C]
CVE-ID: CVE-2014-0066
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a NULL pointer dereference error. A remote attacker can trigger denial of service conditions via unspecified vectors.
MitigationInstall update from vendor's website.
Vulnerable software versionsPostgreSQL: 8.4.1 - 9.3.2
External linkshttp://archives.neohapsis.com/archives/bugtraq/2014-10/0103.html
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
http://lists.opensuse.org/opensuse-updates/2014-03/msg00018.html
http://lists.opensuse.org/opensuse-updates/2014-03/msg00038.html
http://rhn.redhat.com/errata/RHSA-2014-0211.html
http://rhn.redhat.com/errata/RHSA-2014-0221.html
http://rhn.redhat.com/errata/RHSA-2014-0249.html
http://rhn.redhat.com/errata/RHSA-2014-0469.html
http://support.apple.com/kb/HT6448
http://wiki.postgresql.org/wiki/20140220securityrelease
http://www.debian.org/security/2014/dsa-2864
http://www.debian.org/security/2014/dsa-2865
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
http://www.postgresql.org/about/news/1506/
http://www.ubuntu.com/usn/USN-2120-1
http://support.apple.com/kb/HT6536
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU41880
Risk: Low
CVSSv3.1: 1.3 [CVSS:3.1/AV:N/AC:L/PR:/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2014-0060
CWE-ID:
CWE-264 - Permissions, Privileges, and Access Controls
Exploit availability: No
DescriptionThe vulnerability allows a remote #AU# to manipulate data.
PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 does not properly enforce the ADMIN OPTION restriction, which allows remote authenticated members of a role to add or remove arbitrary users to that role by calling the SET ROLE command before the associated GRANT command.
MitigationInstall update from vendor's website.
Vulnerable software versionsPostgreSQL: 8.4.1 - 9.3.2
External linkshttp://archives.neohapsis.com/archives/bugtraq/2014-10/0103.html
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
http://lists.opensuse.org/opensuse-updates/2014-03/msg00018.html
http://lists.opensuse.org/opensuse-updates/2014-03/msg00038.html
http://rhn.redhat.com/errata/RHSA-2014-0211.html
http://rhn.redhat.com/errata/RHSA-2014-0221.html
http://rhn.redhat.com/errata/RHSA-2014-0249.html
http://rhn.redhat.com/errata/RHSA-2014-0469.html
http://secunia.com/advisories/61307
http://support.apple.com/kb/HT6448
http://wiki.postgresql.org/wiki/20140220securityrelease
http://www.debian.org/security/2014/dsa-2864
http://www.debian.org/security/2014/dsa-2865
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
http://www.postgresql.org/about/news/1506/
http://www.ubuntu.com/usn/USN-2120-1
http://puppet.com/security/cve/cve-2014-0060
http://support.apple.com/kb/HT6536
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote via the Internet.
How the attacker can exploit this vulnerability?
The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.