#VU111768 Permissions, Privileges, and Access Controls in PostgreSQL - CVE-2010-1447

Cybersecurity Help s.r.o.

Published: 2017-09-19 | Updated: 2025-06-23

Vulnerability identifier: #VU111768

Vulnerability risk: High

CVSSv4.0: 6.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2010-1447

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PostgreSQL
Server applications / Database software

Vendor: PostgreSQL Global Development Group

Description

The vulnerability allows a remote user to execute arbitrary code.

The Safe (aka Safe.pm) module 2.26, and certain earlier versions, for Perl, as used in PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, 8.4 before 8.4.4, and 9.0 Beta before 9.0 Beta 2, allows context-dependent attackers to bypass intended (1) Safe::reval and (2) Safe::rdo access restrictions, and inject and execute arbitrary code, via vectors involving subroutine references and delayed execution.

Mitigation
Install update from vendor's website.

Vulnerable software versions

PostgreSQL: 7.4, 7.4.1 - 7.4.19, 7.4.2, 7.4.3, 7.4.4, 7.4.5 - 8.1.3, 7.4.6, 7.4.7, 7.4.8, 7.4.9, 7.4.10 - 8.4.1, 7.4.11 - 8.4.3, 7.4.12, 7.4.13, 7.4.14, 7.4.15, 7.4.16, 7.4.20, 7.4.21, 7.4.22, 7.4.23, 7.4.24, 7.4.25, 7.4.26, 7.4.27, 7.4.28, 8.0, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.0.11, 8.0.12, 8.0.13, 8.0.14, 8.0.15, 8.0.16, 8.0.17, 8.0.18, 8.0.19, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.1.15, 8.1.16, 8.1.17, 8.1.18, 8.1.19, 8.1.20, 8.2, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 8.2.13, 8.2.14, 8.2.15, 8.2.16, 8.3, 8.3.0, 8.3.1, 8.3.2, 8.3.3

External links
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
https://osvdb.org/64756
https://secunia.com/advisories/39845
https://secunia.com/advisories/40049
https://secunia.com/advisories/40052
https://security-tracker.debian.org/tracker/CVE-2010-1447
https://www.debian.org/security/2011/dsa-2267
https://www.mandriva.com/security/advisories?name=MDVSA-2010:115
https://www.mandriva.com/security/advisories?name=MDVSA-2010:116
https://www.openwall.com/lists/oss-security/2010/05/20/5
https://www.postgresql.org/about/news.1203
https://www.redhat.com/support/errata/RHSA-2010-0457.html
https://www.redhat.com/support/errata/RHSA-2010-0458.html
https://www.securityfocus.com/bid/40305
https://www.securitytracker.com/id?1023988
https://www.vupen.com/english/advisories/2010/1167
https://bugs.launchpad.net/bugs/cve/2010-1447
https://bugzilla.redhat.com/show_bug.cgi?id=588269
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11530
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7320

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in PostgreSQL

Gentoo update for PostgreSQL