#VU40402 Security Features in PostgreSQL - CVE-2016-2193

Cybersecurity Help s.r.o.

Published: 2016-04-11 | Updated: 2020-08-09

Vulnerability identifier: #VU40402

Vulnerability risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2016-2193

CWE-ID: CWE-254

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PostgreSQL
Server applications / Database software

Vendor: PostgreSQL Global Development Group

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

PostgreSQL before 9.5.x before 9.5.2 does not properly maintain row-security status in cached plans, which might allow attackers to bypass intended access restrictions by leveraging a session that performs queries as more than one role.

Mitigation
Install update from vendor's website.

Vulnerable software versions

PostgreSQL: 9.5 - 9.5.1

External links
http://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=db69e58a0642ef7fa46d62f6c4cf2460c3a1b41b
http://www.postgresql.org/about/news/1656/
http://www.postgresql.org/docs/current/static/release-9-5-2.html
http://www.securitytracker.com/id/1035468

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Cloud Pak for AIOps

openEuler 22.03 LTS SP3 update for libpq

openEuler 22.03 LTS SP1 update for libpq

openEuler 24.03 LTS update for libpq

openEuler 22.03 LTS SP4 update for libpq

openEuler 24.03 LTS update for postgresql

openEuler 22.03 LTS SP4 update for postgresql

openEuler 22.03 LTS SP3 update for postgresql

openEuler 22.03 LTS SP1 update for postgresql

Multiple vulnerabilities in PostgreSQL