CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 0CVE-2019-10211
https://notcve.org/view.php?id=CVE-2019-10211
29 Oct 2019 — Postgresql Windows installer before versions 11.5, 10.10, 9.6.15, 9.5.19, 9.4.24 is vulnerable via bundled OpenSSL executing code from unprotected directory. El instalador de Postgresql Windows anterior a las versiones 11.5, 10.10, 9.6.15, 9.5.19 y 9.4.24, es vulnerable por medio del código de ejecución de OpenSSL integrado desde un directorio desprotegido • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10211 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.0EPSS: 0%CPEs: 6EXPL: 0CVE-2019-10210
https://notcve.org/view.php?id=CVE-2019-10210
29 Oct 2019 — Postgresql Windows installer before versions 11.5, 10.10, 9.6.15, 9.5.19, 9.4.24 is vulnerable via superuser writing password to unprotected temporary file. El instalador de Postgresql Windows anterior a las versiones 11.5, 10.10, 9.6.15, 9.5.19 y 9.4.24, es vulnerable por medio de un superusuario al escribir una contraseña en un archivo temporal desprotegido. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10210 • CWE-522: Insufficiently Protected Credentials •
CVSS: 7.8EPSS: 0%CPEs: 60EXPL: 0CVE-2019-3800 – CF CLI writes the client id and secret to config file
https://notcve.org/view.php?id=CVE-2019-3800
05 Aug 2019 — CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag. A local authenticated malicious user with access to the CF CLI config file can act as that client, who is the owner of the leaked credentials. La CLI de CF anterior a versión v6.45.0 (versión de lanzamiento bosh 1.16.0), escribe el id y el secreto del cliente hacia su archivo de configuración cuando el usuario se autentica con el flag --... • https://pivotal.io/security/cve-2019-3800 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-522: Insufficiently Protected Credentials •
CVSS: 9.3EPSS: 6%CPEs: 5EXPL: 0CVE-2016-7048
https://notcve.org/view.php?id=CVE-2016-7048
20 Aug 2018 — The interactive installer in PostgreSQL before 9.3.15, 9.4.x before 9.4.10, and 9.5.x before 9.5.5 might allow remote attackers to execute arbitrary code by leveraging use of HTTP to download software. El instalador interactivo en PostgreSQL en versiones anteriores a la 9.3.15, 9.4.x anteriores a la 9.4.10 y 9.5.x anteriores a la 9.5.5 podría permitir que los atacantes remotos ejecuten código arbitrario utilizando HTTP para descargar software. • https://bugzilla.redhat.com/show_bug.cgi?id=1378043 • CWE-284: Improper Access Control •
CVSS: 9.1EPSS: 0%CPEs: 3EXPL: 0CVE-2018-1115 – postgresql: Too-permissive access control list on function pg_logfile_rotate()
https://notcve.org/view.php?id=CVE-2018-1115
10 May 2018 — postgresql before versions 10.4, 9.6.9 is vulnerable in the adminpack extension, the pg_catalog.pg_logfile_rotate() function doesn't follow the same ACLs than pg_rorate_logfile. If the adminpack is added to a database, an attacker able to connect to it could exploit this to force log rotation. postgresql en versiones anteriores a la 10.4 y la 9.6.9 es vulnerable en la extensión adminpack. La función pg_catalog.pg_logfile_rotate() no sigue las mismas lista de control de acceso que pg_rorate_logfile. Si admin... • http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00043.html • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.3EPSS: 0%CPEs: 2EXPL: 2CVE-2017-14798 – local privilege escalation in SUSE postgresql init script
https://notcve.org/view.php?id=CVE-2017-14798
01 Mar 2018 — A race condition in the postgresql init script could be used by attackers able to access the postgresql account to escalate their privileges to root. Una condición de carrera en el script init de postgresql podría ser aprovechada por atacantes para acceder a la cuenta postgresql y escalar sus privilegios a root. PostgreSQL version 9.4-0.5.3 suffers from a privilege escalation vulnerability. • https://packetstorm.news/files/id/148884 • CWE-61: UNIX Symbolic Link (Symlink) Following CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2016-0768
https://notcve.org/view.php?id=CVE-2016-0768
06 Jun 2017 — PostgreSQL PL/Java after 9.0 does not honor access controls on large objects. PL/Java posterior a la versión 9.0 de PostgreSQL, no respeta los controles de acceso en objetos grandes. • https://tada.github.io/pljava/releasenotes.html • CWE-284: Improper Access Control •
CVSS: 7.5EPSS: 0%CPEs: 40EXPL: 0CVE-2017-7484 – postgresql: Selectivity estimators bypass SELECT privilege checks
https://notcve.org/view.php?id=CVE-2017-7484
12 May 2017 — It was found that some selectivity estimation functions in PostgreSQL before 9.2.21, 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3 did not check user privileges before providing information from pg_statistic, possibly leaking information. An unprivileged attacker could use this flaw to steal some information from tables they are otherwise not allowed to access. Se ha descubierto que algunas funciones de estimación de selectividad en PostgreSQL, en versiones anteriores ... • http://www.debian.org/security/2017/dsa-3851 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-285: Improper Authorization CWE-862: Missing Authorization •
CVSS: 8.5EPSS: 3%CPEs: 47EXPL: 0CVE-2016-5423 – postgresql: CASE/WHEN with inlining can cause untrusted pointer dereference
https://notcve.org/view.php?id=CVE-2016-5423
12 Aug 2016 — PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 allow remote authenticated users to cause a denial of service (NULL pointer dereference and server crash), obtain sensitive memory information, or possibly execute arbitrary code via (1) a CASE expression within the test value subexpression of another CASE or (2) inlining of an SQL function that implements the equality operator used for a CASE expression involving values of different types. Postgre... • http://rhn.redhat.com/errata/RHSA-2016-1781.html • CWE-476: NULL Pointer Dereference CWE-822: Untrusted Pointer Dereference •
CVSS: 7.6EPSS: 1%CPEs: 47EXPL: 0CVE-2016-5424 – postgresql: privilege escalation via crafted database and role names
https://notcve.org/view.php?id=CVE-2016-5424
12 Aug 2016 — PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 might allow remote authenticated users with the CREATEDB or CREATEROLE role to gain superuser privileges via a (1) " (double quote), (2) \ (backslash), (3) carriage return, or (4) newline character in a (a) database or (b) role name that is mishandled during an administrative operation. PostgreSQL en versiones anteriores a 9.1.23, 9.2.x en versiones anteriores a 9.2.18, 9.3.x en versiones anteriore... • http://rhn.redhat.com/errata/RHSA-2016-1781.html • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') •