#VU32338 Permissions, Privileges, and Access Controls in PostgreSQL - CVE-2016-0766
Published: February 17, 2016 / Updated: July 28, 2020
Vulnerability identifier: #VU32338
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2016-0766
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
PostgreSQL
PostgreSQL
Software vendor:
PostgreSQL Global Development Group
PostgreSQL Global Development Group
Description
The vulnerability allows a remote authenticated user to execute arbitrary code.
PostgreSQL before 9.1.20, 9.2.x before 9.2.15, 9.3.x before 9.3.11, 9.4.x before 9.4.6, and 9.5.x before 9.5.1 does not properly restrict access to unspecified custom configuration settings (GUCS) for PL/Java, which allows attackers to gain privileges via unspecified vectors.
Remediation
Install update from vendor's website.
External links
- http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00049.html
- http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00052.html
- http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00054.html
- http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00056.html
- http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00016.html
- http://www.debian.org/security/2016/dsa-3475
- http://www.debian.org/security/2016/dsa-3476
- http://www.postgresql.org/about/news/1644/
- http://www.postgresql.org/docs/current/static/release-9-1-20.html
- http://www.postgresql.org/docs/current/static/release-9-2-15.html
- http://www.postgresql.org/docs/current/static/release-9-3-11.html
- http://www.postgresql.org/docs/current/static/release-9-4-6.html
- http://www.postgresql.org/docs/current/static/release-9-5-1.html
- http://www.securityfocus.com/bid/83184
- http://www.securitytracker.com/id/1035005
- http://www.ubuntu.com/usn/USN-2894-1
- https://security.gentoo.org/glsa/201701-33