| VID |
25050 |
| Severity |
40 |
| Port |
5432 |
| Protocol |
TCP |
| Class |
DB |
| Detailed Description |
The PostgreSQL server, according to its version number, has multiple remote vulnerabilities(3). PostgreSQL is a Object-Relational database management system (DBMS) that supports an extended subset of SQL. PostgreSQL versions 7.3 through 8.0.2 are two vulnerabilities as the below, which can be exploited by malicious users to cause a denial of service attack or potentially gain escalated privileges:
1) Character Conversion Vulnerability: It allow a remote authenticated attacker to execute arbitrary SQL commands caused by a vulnerability in the character set conversion functions.
2) tsearch2 Vulnerability: By sending a specially-crafted SQL command to call functions accepting "internal" arguments, a remote authenticated attacker could cause the service to crash. The vulnerability affects versions 7.4 and later with the contrib/tsearch2 module installed.
* Note: This check solely relied on the version number of the remote PostgreSQL server to assess this vulnerability, so this might be a false positive.
* References:
http://secunia.com/advisories/15217/
* Platforms Affected:
PostgreSQL versions 7.3 through 8.0.2
Any operating system Any version |
| Recommendation |
Apply the workaround as listed in PostgreSQL Security Advisory 2005-05-02 at http://www.postgresql.org/about/news.315
-- OR --
Upgrade to the latest version of PostgreSQL (7.3.10, 7.4.8, 8.0.3 or later), available from the PostgreSQL FTP Web page at http://wwwmaster.postgresql.org/ftp/ |
| Related URL |
CVE-2005-1409,CVE-2005-1410 (CVE) |
| Related URL |
13475,13476 (SecurityFocus) |
| Related URL |
20401,20402 (ISS) |
|
