| VID |
25038 |
| Severity |
30 |
| Port |
5432 |
| Protocol |
TCP |
| Class |
DB |
| Detailed Description |
The PostgreSQL server, according to its version number, has an insecure temporary file creation vulnerability.
PostgreSQL is a Object-Relational database management system (DBMS) that supports an extended subset of SQL. PostgreSQL version 7.4.5 and earlier could allow a local attacker to overwrite arbitrary files with the privileges of the application. This issue is likely due to a design error that causes the application to fail to verify the existence of a file before writing to it. A local attacker could use this flaw to overwrite arbitrary files with the privileges of an unsuspecting user that activates the vulnerable application.
* Note: This check solely relied on the version number of the remote PostgreSQL server to assess this vulnerability, so this might be a false positive.
* Platforms Affected:
PostgreSQL 7.4.5 and earlier
Windows Any version
UNIX Any version
Linux Any version |
| Recommendation |
Upgrade to the fixed version of PostgreSQL (7.4.6 or later), when new fixed version becomes available from the PostgreSQL FTP page at ftp://ftp.postgresql.org/pub/
For Trustix Secure Linux:
Upgrade to the latest postgresql package, as listed in Trustix Secure Linux Security Advisory #2004-0050 at http://www.linuxsecurity.com/advisories/trustix_advisory-4882.html
For other distributions:
Contact your vendor for upgrade or patch information. |
| Related URL |
CVE-2004-0977 (CVE) |
| Related URL |
11295 (SecurityFocus) |
| Related URL |
(ISS) |
|
