#VU111771 Input validation error in PostgreSQL - CVE-2010-0733

Cybersecurity Help s.r.o.

Published: 2023-02-13 | Updated: 2025-06-23

Vulnerability identifier: #VU111771

Vulnerability risk: Low

CVSSv4.0: 2.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/U:Clear]

CVE-ID: CVE-2010-0733

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
PostgreSQL
Server applications / Database software

Vendor: PostgreSQL Global Development Group

Description

The vulnerability allows a remote user to perform service disruption.

Integer overflow in src/backend/executor/nodeHash.c in PostgreSQL 8.4.1 and earlier, and 8.5 through 8.5alpha2, allows remote authenticated users to cause a denial of service (daemon crash) via a SELECT statement with many LEFT JOIN clauses, related to certain hashtable size calculations.

Mitigation
Install update from vendor's website.

Vulnerable software versions

PostgreSQL: 8.4, 8.4.0, 8.4.1

External links
https://archives.postgresql.org/pgsql-bugs/2009-10/msg00289.php
https://www.openwall.com/lists/oss-security/2010/03/09/2
https://bugzilla.redhat.com/show_bug.cgi?id=546621
https://www.openwall.com/lists/oss-security/2010/03/16/10
https://archives.postgresql.org/pgsql-bugs/2009-10/msg00287.php
https://archives.postgresql.org/pgsql-bugs/2009-10/msg00310.php
https://archives.postgresql.org/pgsql-bugs/2009-10/msg00277.php
https://www.redhat.com/support/errata/RHSA-2010-0428.html
https://www.redhat.com/support/errata/RHSA-2010-0427.html
https://www.redhat.com/support/errata/RHSA-2010-0429.html
https://www.securityfocus.com/bid/38619
https://secunia.com/advisories/39820
https://www.vupen.com/english/advisories/2010/1197
https://lists.opensuse.org/opensuse-security-announce/2010-08/msg00001.html
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10691
https://git.postgresql.org/gitweb?p=postgresql.git%3Ba=commit%3Bh=64b057e6823655fb6c5d1f24a28f236b94dd6c54

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

Multiple vulnerabilities in PostgreSQL

Gentoo update for PostgreSQL