U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): cpe:2.3:a:postgresql:postgresql:9.4.2:*:*:*:*:*:*:*
  • CPE Name Search: true
There are 32 matching records.
Displaying matches 21 through 32.
Vuln ID Summary CVSS Severity
CVE-2017-7546

PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allowing remote attackers to gain access to database accounts with an empty password.

Published: August 16, 2017; 2:29:00 PM -0400
V3.0: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2017-7486

PostgreSQL versions 8.4 - 9.6 are vulnerable to information leak in pg_user_mappings view which discloses foreign server passwords to any user having USAGE privilege on the associated foreign server.

Published: May 12, 2017; 3:29:00 PM -0400
V3.0: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2017-7485

In PostgreSQL 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3, it was found that the PGREQUIRESSL environment variable was no longer enforcing a SSL/TLS connection to a PostgreSQL server. An active Man-in-the-Middle attacker could use this flaw to strip the SSL/TLS protection from a connection between a client and a server.

Published: May 12, 2017; 3:29:00 PM -0400
V3.0: 5.9 MEDIUM
V2.0: 4.3 MEDIUM
CVE-2017-7484

It was found that some selectivity estimation functions in PostgreSQL before 9.2.21, 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3 did not check user privileges before providing information from pg_statistic, possibly leaking information. An unprivileged attacker could use this flaw to steal some information from tables they are otherwise not allowed to access.

Published: May 12, 2017; 3:29:00 PM -0400
V3.0: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2016-5424

PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 might allow remote authenticated users with the CREATEDB or CREATEROLE role to gain superuser privileges via a (1) " (double quote), (2) \ (backslash), (3) carriage return, or (4) newline character in a (a) database or (b) role name that is mishandled during an administrative operation.

Published: December 09, 2016; 6:59:02 PM -0500
V3.0: 7.1 HIGH
V2.0: 4.6 MEDIUM
CVE-2016-5423

PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 allow remote authenticated users to cause a denial of service (NULL pointer dereference and server crash), obtain sensitive memory information, or possibly execute arbitrary code via (1) a CASE expression within the test value subexpression of another CASE or (2) inlining of an SQL function that implements the equality operator used for a CASE expression involving values of different types.

Published: December 09, 2016; 6:59:00 PM -0500
V3.0: 8.3 HIGH
V2.0: 6.5 MEDIUM
CVE-2016-0773

PostgreSQL before 9.1.20, 9.2.x before 9.2.15, 9.3.x before 9.3.11, 9.4.x before 9.4.6, and 9.5.x before 9.5.1 allows remote attackers to cause a denial of service (infinite loop or buffer overflow and crash) via a large Unicode character range in a regular expression.

Published: February 17, 2016; 10:59:02 AM -0500
V3.0: 7.5 HIGH
V2.0: 5.0 MEDIUM
CVE-2016-0766

PostgreSQL before 9.1.20, 9.2.x before 9.2.15, 9.3.x before 9.3.11, 9.4.x before 9.4.6, and 9.5.x before 9.5.1 does not properly restrict access to unspecified custom configuration settings (GUCS) for PL/Java, which allows attackers to gain privileges via unspecified vectors.

Published: February 17, 2016; 10:59:01 AM -0500
V3.0: 8.8 HIGH
V2.0: 9.0 HIGH
CVE-2015-5289

Multiple stack-based buffer overflows in json parsing in PostgreSQL before 9.3.x before 9.3.10 and 9.4.x before 9.4.5 allow attackers to cause a denial of service (server crash) via unspecified vectors, which are not properly handled in (1) json or (2) jsonb values.

Published: October 26, 2015; 10:59:02 AM -0400
V3.x:(not available)
V2.0: 6.4 MEDIUM
CVE-2015-5288

The crypt function in contrib/pgcrypto in PostgreSQL before 9.0.23, 9.1.x before 9.1.19, 9.2.x before 9.2.14, 9.3.x before 9.3.10, and 9.4.x before 9.4.5 allows attackers to cause a denial of service (server crash) or read arbitrary server memory via a "too-short" salt.

Published: October 26, 2015; 10:59:01 AM -0400
V3.x:(not available)
V2.0: 6.4 MEDIUM
CVE-2010-3781

The PL/php add-on 1.4 and earlier for PostgreSQL does not properly protect script execution by a different SQL user identity within the same session, which allows remote authenticated users to gain privileges via crafted script code in a SECURITY DEFINER function, a related issue to CVE-2010-3433.

Published: October 06, 2010; 5:00:01 PM -0400
V3.x:(not available)
V2.0: 6.0 MEDIUM
CVE-2009-2943

The postgresql-ocaml bindings 1.5.4, 1.7.0, and 1.12.1 for PostgreSQL libpq do not properly support the PQescapeStringConn function, which might allow remote attackers to leverage escaping issues involving multibyte character encodings.

Published: October 22, 2009; 12:30:00 PM -0400
V3.x:(not available)
V2.0: 7.5 HIGH