Risk | High |
Patch available | YES |
Number of vulnerabilities | 4 |
CVE-ID | CVE-2024-10976 CVE-2024-10977 CVE-2024-10978 CVE-2024-10979 |
CWE-ID | CWE-269 CWE-300 CWE-266 CWE-285 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software |
SUSE Linux Enterprise Server 12 SP5 LTSS Extended Operating systems & Components / Operating system SUSE Linux Enterprise Server 12 SP5 Operating systems & Components / Operating system SUSE Linux Enterprise Server for SAP Applications 12 Operating systems & Components / Operating system SUSE Linux Enterprise Server 12 Operating systems & Components / Operating system SUSE Linux Enterprise High Performance Computing 12 Operating systems & Components / Operating system postgresql13-docs Operating systems & Components / Operating system package or component postgresql13-server Operating systems & Components / Operating system package or component postgresql13-contrib-debuginfo Operating systems & Components / Operating system package or component postgresql13-plpython Operating systems & Components / Operating system package or component postgresql13-plperl Operating systems & Components / Operating system package or component postgresql13-server-debuginfo Operating systems & Components / Operating system package or component postgresql13-debugsource Operating systems & Components / Operating system package or component postgresql13-plperl-debuginfo Operating systems & Components / Operating system package or component postgresql13-contrib Operating systems & Components / Operating system package or component postgresql13-debuginfo Operating systems & Components / Operating system package or component postgresql13 Operating systems & Components / Operating system package or component postgresql13-plpython-debuginfo Operating systems & Components / Operating system package or component postgresql13-pltcl Operating systems & Components / Operating system package or component postgresql13-pltcl-debuginfo Operating systems & Components / Operating system package or component |
Vendor | SUSE |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
EUVDB-ID: #VU100511
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-10976
CWE-ID:
CWE-269 - Improper Privilege Management
Exploit availability: No
DescriptionThe vulnerability allows a remote user to bypass implemented security restrictions.
The vulnerability exists due to improper privilege management in cases where a subquery, WITH query, security invoker view, or SQL-language function references a table with a row-level security policy. A remote user can bypass implemented security restrictions and gain unauthorized access to the database in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles.
MitigationUpdate the affected package postgresql13 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server 12 SP5 LTSS Extended: Security
SUSE Linux Enterprise Server 12 SP5: LTSS
SUSE Linux Enterprise Server for SAP Applications 12: SP5
SUSE Linux Enterprise Server 12: SP5
SUSE Linux Enterprise High Performance Computing 12: SP5
postgresql13-docs: before 13.18-3.55.2
postgresql13-server: before 13.18-3.55.2
postgresql13-contrib-debuginfo: before 13.18-3.55.2
postgresql13-plpython: before 13.18-3.55.2
postgresql13-plperl: before 13.18-3.55.2
postgresql13-server-debuginfo: before 13.18-3.55.2
postgresql13-debugsource: before 13.18-3.55.2
postgresql13-plperl-debuginfo: before 13.18-3.55.2
postgresql13-contrib: before 13.18-3.55.2
postgresql13-debuginfo: before 13.18-3.55.2
postgresql13: before 13.18-3.55.2
postgresql13-plpython-debuginfo: before 13.18-3.55.2
postgresql13-pltcl: before 13.18-3.55.2
postgresql13-pltcl-debuginfo: before 13.18-3.55.2
CPE2.3http://www.suse.com/support/update/announcement/2024/suse-su-20244114-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU100512
Risk: Low
CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-10977
CWE-ID:
CWE-300 - Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to spoof error messages from the database.
The vulnerability exists due to an error in libpq, which allows a server not trusted under current SSL or GSS settings to furnish arbitrary non-NUL bytes to the libpq application. A remote attacker can perform a man-in-the-middle attack to send a long error message that a human or screen-scraper user of psql mistakes for valid query results.
MitigationUpdate the affected package postgresql13 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server 12 SP5 LTSS Extended: Security
SUSE Linux Enterprise Server 12 SP5: LTSS
SUSE Linux Enterprise Server for SAP Applications 12: SP5
SUSE Linux Enterprise Server 12: SP5
SUSE Linux Enterprise High Performance Computing 12: SP5
postgresql13-docs: before 13.18-3.55.2
postgresql13-server: before 13.18-3.55.2
postgresql13-contrib-debuginfo: before 13.18-3.55.2
postgresql13-plpython: before 13.18-3.55.2
postgresql13-plperl: before 13.18-3.55.2
postgresql13-server-debuginfo: before 13.18-3.55.2
postgresql13-debugsource: before 13.18-3.55.2
postgresql13-plperl-debuginfo: before 13.18-3.55.2
postgresql13-contrib: before 13.18-3.55.2
postgresql13-debuginfo: before 13.18-3.55.2
postgresql13: before 13.18-3.55.2
postgresql13-plpython-debuginfo: before 13.18-3.55.2
postgresql13-pltcl: before 13.18-3.55.2
postgresql13-pltcl-debuginfo: before 13.18-3.55.2
CPE2.3http://www.suse.com/support/update/announcement/2024/suse-su-20244114-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU100513
Risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-10978
CWE-ID:
CWE-266 - Incorrect Privilege Assignment
Exploit availability: No
DescriptionThe vulnerability allows a remote user to escalate privileges within the application.
The vulnerability exists due to incorrect privilege assignment when application uses SET ROLE, SET SESSION AUTHORIZATION, or an equivalent feature. A remote user can force the application to reset their role to a wrong user ID and view or change different rows from those intended.
MitigationUpdate the affected package postgresql13 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server 12 SP5 LTSS Extended: Security
SUSE Linux Enterprise Server 12 SP5: LTSS
SUSE Linux Enterprise Server for SAP Applications 12: SP5
SUSE Linux Enterprise Server 12: SP5
SUSE Linux Enterprise High Performance Computing 12: SP5
postgresql13-docs: before 13.18-3.55.2
postgresql13-server: before 13.18-3.55.2
postgresql13-contrib-debuginfo: before 13.18-3.55.2
postgresql13-plpython: before 13.18-3.55.2
postgresql13-plperl: before 13.18-3.55.2
postgresql13-server-debuginfo: before 13.18-3.55.2
postgresql13-debugsource: before 13.18-3.55.2
postgresql13-plperl-debuginfo: before 13.18-3.55.2
postgresql13-contrib: before 13.18-3.55.2
postgresql13-debuginfo: before 13.18-3.55.2
postgresql13: before 13.18-3.55.2
postgresql13-plpython-debuginfo: before 13.18-3.55.2
postgresql13-pltcl: before 13.18-3.55.2
postgresql13-pltcl-debuginfo: before 13.18-3.55.2
CPE2.3http://www.suse.com/support/update/announcement/2024/suse-su-20244114-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU100514
Risk: High
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-10979
CWE-ID:
CWE-285 - Improper Authorization
Exploit availability: No
DescriptionThe vulnerability allows a remote user to compromise the affected system.
The vulnerability exists due to incorrect control of environment variables. A remote unprivileged database user can change sensitive process environment variables (e.g. PATH) and execute arbitrary code on the database server.
Update the affected package postgresql13 to the latest version.
Vulnerable software versionsSUSE Linux Enterprise Server 12 SP5 LTSS Extended: Security
SUSE Linux Enterprise Server 12 SP5: LTSS
SUSE Linux Enterprise Server for SAP Applications 12: SP5
SUSE Linux Enterprise Server 12: SP5
SUSE Linux Enterprise High Performance Computing 12: SP5
postgresql13-docs: before 13.18-3.55.2
postgresql13-server: before 13.18-3.55.2
postgresql13-contrib-debuginfo: before 13.18-3.55.2
postgresql13-plpython: before 13.18-3.55.2
postgresql13-plperl: before 13.18-3.55.2
postgresql13-server-debuginfo: before 13.18-3.55.2
postgresql13-debugsource: before 13.18-3.55.2
postgresql13-plperl-debuginfo: before 13.18-3.55.2
postgresql13-contrib: before 13.18-3.55.2
postgresql13-debuginfo: before 13.18-3.55.2
postgresql13: before 13.18-3.55.2
postgresql13-plpython-debuginfo: before 13.18-3.55.2
postgresql13-pltcl: before 13.18-3.55.2
postgresql13-pltcl-debuginfo: before 13.18-3.55.2
CPE2.3http://www.suse.com/support/update/announcement/2024/suse-su-20244114-1/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.