SB2025092619 - Tenable Security Center update for third-party components

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Buffer Over-read (CVE-ID: CVE-2025-4207)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a buffer over-read in GB18030 encoding validation. A remote attacker can pass specially crafted input to the application, trigger a one-byte buffer over-read and perform a denial of service (DoS) attack.

2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2025-8713)

The vulnerability allows a remote user to gain access to sensitive information. 

The vulnerability exists due to PostgreSQL optimizer statistics allow a user to read sampled data within a view that the user cannot access. A remote user can gain access to sensitive information. 

3) Code Injection (CVE-ID: CVE-2025-8714)

The vulnerability allows a remote user to execute arbitrary psql code on the target system.

The vulnerability exists due to improper input validation in pg_dump. A malicious superuser of the origin server to inject arbitrary psql code for restore-time execution as the client operating system account running psql to restore the dump, via psql meta-commands, such as pg_dump, pg_dumpall, and pg_restore.

4) Input validation error (CVE-ID: CVE-2025-8715)

The vulnerability allows a remote user to execute arbitrary psql code.

The vulnerability exists in pg_dump due to insufficient validation of user-supplied input when handling new line characters. A remote attacker can trick the victim into loading a specially crafted backup and execute arbitrary psql code on the system.

Remediation

Install update from vendor's website.

References

• https://www.tenable.com/security/tns-2025-18