CVE-2014-0063
|
Multiple stack-based buffer overflows in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via vectors related to an incorrect MAXDATELEN constant and datetime values involving (1) intervals, (2) timestamps, or (3) timezones, a different vulnerability than CVE-2014-0065.
Published:
March 31, 2014; 10:58:15 AM -04:00
|
V2: 6.5 MEDIUM
|
CVE-2014-0062
|
Race condition in the (1) CREATE INDEX and (2) unspecified ALTER TABLE commands in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allows remote authenticated users to create an unauthorized index or read portions of unauthorized tables by creating or deleting a table with the same name during the timing window.
Published:
March 31, 2014; 10:58:15 AM -04:00
|
V2: 4.9 MEDIUM
|
CVE-2014-0061
|
The validator functions for the procedural languages (PLs) in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to gain privileges via a function that is (1) defined in another language or (2) not allowed to be directly called by the user due to permissions.
Published:
March 31, 2014; 10:58:15 AM -04:00
|
V2: 6.5 MEDIUM
|
CVE-2014-0060
|
PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 does not properly enforce the ADMIN OPTION restriction, which allows remote authenticated members of a role to add or remove arbitrary users to that role by calling the SET ROLE command before the associated GRANT command.
Published:
March 31, 2014; 10:58:08 AM -04:00
|
V2: 4.0 MEDIUM
|
CVE-2012-4575
|
The add_database function in objects.c in the pgbouncer pooler 1.5.2 for PostgreSQL allows remote attackers to cause a denial of service (daemon outage) via a long database name in a request.
Published:
November 18, 2012; 02:55:01 PM -05:00
|
V2: 5.0 MEDIUM
|
CVE-2010-3781
|
The PL/php add-on 1.4 and earlier for PostgreSQL does not properly protect script execution by a different SQL user identity within the same session, which allows remote authenticated users to gain privileges via crafted script code in a SECURITY DEFINER function, a related issue to CVE-2010-3433.
Published:
October 06, 2010; 05:00:01 PM -04:00
|
V2: 6.0 MEDIUM
|
CVE-2010-0733
|
Integer overflow in src/backend/executor/nodeHash.c in PostgreSQL 8.4.1 and earlier, and 8.5 through 8.5alpha2, allows remote authenticated users to cause a denial of service (daemon crash) via a SELECT statement with many LEFT JOIN clauses, related to certain hashtable size calculations.
Published:
March 19, 2010; 03:30:00 PM -04:00
|
V2: 3.5 LOW
|
CVE-2009-2943
|
The postgresql-ocaml bindings 1.5.4, 1.7.0, and 1.12.1 for PostgreSQL libpq do not properly support the PQescapeStringConn function, which might allow remote attackers to leverage escaping issues involving multibyte character encodings.
Published:
October 22, 2009; 12:30:00 PM -04:00
|
V2: 7.5 HIGH
|