| VID |
25134 |
| Severity |
40 |
| Port |
5432 |
| Protocol |
TCP |
| Class |
DB |
| Detailed Description |
The PostgreSQL server, according to its version number, has multiple vulnerabilities. PostgreSQL is a Object-Relational database management system (DBMS) that supports an extended subset of SQL.
The version of PostgreSQL installed on the remote host is 9.0.x prior to 9.0.13. It therefore is potentially affected by multiple vulnerabilities :
- Enterprise DB's installers for Linux and Mac OS X create a directory and file in '/tmp' with predictable names. (CVE-2013-1902)
- Enterprise DB's installers for Linux and Mac OS X pass the database superuser password to a script in an insecure fashion. (CVE-2013-1903)
* Note: This check solely relied on the version number of the remote PostgreSQL server to assess this vulnerability, so this might be a false positive.
* References:
http://www.postgresql.org/about/news/1456/
http://www.postgresql.org/docs/8.4/static/release-8-4-17.html
http://www.postgresql.org/docs/9.0/static/release-9-0-13.html
http://www.postgresql.org/docs/9.1/static/release-9-1-9.html
http://www.postgresql.org/docs/9.2/static/release-9-2-4.html
* Platforms Affected:
PostgreSQL prior to 9.0.13
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of PostgreSQL (9.0.13 or later), available from the PostgreSQL Web page at http://www.postgresql.org/download/ |
| Related URL |
CVE-2013-1902,CVE-2013-1903 (CVE) |
| Related URL |
58877,58882 (SecurityFocus) |
| Related URL |
(ISS) |
|
