SB2024021385 - Improper Authentication in PostgreSQL
Published: February 13, 2024 Updated: June 23, 2025
Security Bulletin ID
SB2024021385
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Improper Authentication (CVE-ID: CVE-2009-3231)
CWE-ID: CWE-287 - Improper Authentication
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The core server component in PostgreSQL 8.3 before 8.3.8 and 8.2 before 8.2.14, when using LDAP authentication with anonymous binds, allows remote attackers to bypass authentication via an empty password.
Remediation
Install update from vendor's website.
References
- https://bugzilla.redhat.com/show_bug.cgi?id=522084
- http://www.securityfocus.com/bid/36314
- https://www.redhat.com/archives/fedora-package-announce/2009-September/msg00307.html
- http://www.postgresql.org/docs/8.3/static/release-8-3-8.html
- https://www.redhat.com/archives/fedora-package-announce/2009-September/msg00305.html
- http://www.postgresql.org/support/security.html
- http://secunia.com/advisories/36727
- http://secunia.com/advisories/36660
- http://secunia.com/advisories/36837
- http://www.us.debian.org/security/2009/dsa-1900
- http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html
- http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html
- http://secunia.com/advisories/36800
- http://www.ubuntu.com/usn/usn-834-1
- http://wiki.rpath.com/wiki/Advisories:rPSA-2010-0012
- http://marc.info/?l=bugtraq&m=134124585221119&w=2
- http://www.securityfocus.com/archive/1/509917/100/0/threaded