Input validation error in PostgreSQL

#VU32710 Input validation error in PostgreSQL

Published: 2020-07-29

Vulnerability identifier: #VU32710

Vulnerability risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:L/PR:/UI:N/S:U/C:L/I:L/A:L/E:F/RL:O/RC:C]

CVE-ID: CVE-2013-1899

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
PostgreSQL
Server applications / Database software

Vendor: PostgreSQL Global Development Group

Description

The vulnerability allows remote attackers to cause a denial of service (file corruption), and allows remote authenticated users to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can modify configuration settings and execute arbitrary code, via a connection request using a database name that begins with a "-" (hyphen).

Mitigation
Update to version 9.2.4.

Vulnerable software versions

PostgreSQL: 9.2.0 - 9.2.3

External links
http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html
http://lists.apple.com/archives/security-announce/2013/Sep/msg00004.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101519.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/102806.html
http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00007.html
http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00008.html
http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00011.html
http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00012.html
http://support.apple.com/kb/HT5880
http://support.apple.com/kb/HT5892
http://www.debian.org/security/2013/dsa-2658
http://www.mandriva.com/security/advisories?name=MDVSA-2013:142
http://www.postgresql.org/about/news/1456/
http://www.postgresql.org/docs/current/static/release-9-0-13.html
http://www.postgresql.org/docs/current/static/release-9-1-9.html
http://www.postgresql.org/docs/current/static/release-9-2-4.html
http://www.postgresql.org/support/security/faq/2013-04-04/
http://www.ubuntu.com/usn/USN-1789-1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.

Latest bulletins with this vulnerability

Gentoo update for PostgreSQL

SUSE Linux update for PostgreSQL

Input validation error in postgresql (Alpine package)

SUSE Linux update for PostgreSQL

Input validation error in PostgreSQL

Amazon Linux AMI update for postgresql9