Improper Authentication in PostgreSQL - CVE-2009-3231
Published: February 13, 2024 / Updated: June 23, 2025
Vulnerability identifier: #VU111775
CSH Severity: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2009-3231
CWE-ID: CWE-287
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
PostgreSQL
PostgreSQL
Software vendor:
PostgreSQL Global Development Group
PostgreSQL Global Development Group
Description
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
The core server component in PostgreSQL 8.3 before 8.3.8 and 8.2 before 8.2.14, when using LDAP authentication with anonymous binds, allows remote attackers to bypass authentication via an empty password.
Remediation
Install update from vendor's website.
External links
- https://bugzilla.redhat.com/show_bug.cgi?id=522084
- http://www.securityfocus.com/bid/36314
- https://www.redhat.com/archives/fedora-package-announce/2009-September/msg00307.html
- http://www.postgresql.org/docs/8.3/static/release-8-3-8.html
- https://www.redhat.com/archives/fedora-package-announce/2009-September/msg00305.html
- http://www.postgresql.org/support/security.html
- http://secunia.com/advisories/36727
- http://secunia.com/advisories/36660
- http://secunia.com/advisories/36837
- http://www.us.debian.org/security/2009/dsa-1900
- http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html
- http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html
- http://secunia.com/advisories/36800
- http://www.ubuntu.com/usn/usn-834-1
- http://wiki.rpath.com/wiki/Advisories:rPSA-2010-0012
- http://marc.info/?l=bugtraq&m=134124585221119&w=2
- http://www.securityfocus.com/archive/1/509917/100/0/threaded