Page 2 of 56 results (0.005 seconds)

CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 1

A vulnerability was found in postgresql versions 11.x prior to 11.3. The Windows installer for EnterpriseDB-supplied PostgreSQL does not lock down the ACL of the binary installation directory or the ACL of the data directory; it keeps the inherited ACL. In the default configuration, this allows a local attacker to read arbitrary data directory files, essentially bypassing database-imposed read access limitations. In plausible non-default configurations, an attacker having both an unprivileged Windows account and an unprivileged PostgreSQL account can cause the PostgreSQL service account to execute arbitrary code. Se encontró una vulnerabilidad en postgresql versiones 11.x anteriores a 11.3. • https://bugzilla.redhat.com/show_bug.cgi?id=1707102 https://security.netapp.com/advisory/ntap-20210430-0004 https://www.postgresql.org/about/news/1939 • CWE-284: Improper Access Control •

CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0

A vulnerability was found in postgresql versions 11.x prior to 11.3. The Windows installer for BigSQL-supplied PostgreSQL does not lock down the ACL of the binary installation directory or the ACL of the data directory; it keeps the inherited ACL. In the default configuration, an attacker having both an unprivileged Windows account and an unprivileged PostgreSQL account can cause the PostgreSQL service account to execute arbitrary code. An attacker having only the unprivileged Windows account can read arbitrary data directory files, essentially bypassing database-imposed read access limitations. An attacker having only the unprivileged Windows account can also delete certain data directory files. • https://bugzilla.redhat.com/show_bug.cgi?id=1707098 https://security.netapp.com/advisory/ntap-20210430-0004 https://www.postgresql.org/about/news/1939 • CWE-284: Improper Access Control •

CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0

A flaw was found in PostgreSQL in versions before 13.2. This flaw allows a user with SELECT privilege on one column to craft a special query that returns all columns of the table. The highest threat from this vulnerability is to confidentiality. Se ha encontrado un fallo en PostgreSQL en las versiones anteriores a la 13.2. Este fallo permite a un usuario con privilegio SELECT en una columna elaborar una consulta especial que devuelva todas las columnas de la tabla. • https://bugzilla.redhat.com/show_bug.cgi?id=1925296 https://security.gentoo.org/glsa/202105-32 https://security.netapp.com/advisory/ntap-20210326-0005 • CWE-863: Incorrect Authorization •

CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0

An information leak was discovered in postgresql in versions before 13.2, before 12.6 and before 11.11. A user having UPDATE permission but not SELECT permission to a particular column could craft queries which, under some circumstances, might disclose values from that column in error messages. An attacker could use this flaw to obtain information stored in a column they are allowed to write but not read. Se detectó un filtrado de información en postgresql en versiones anteriores a 13.2, versiones anteriores a 12.6 y versiones anteriores a 11.11. Un usuario que tenga el permiso UPDATE pero no el permiso SELECT para una columna en particular podría diseñar consultas que, en algunas circunstancias, podrían divulgar valores de esa columna en mensajes de error. • https://bugzilla.redhat.com/show_bug.cgi?id=1924005 https://security.gentoo.org/glsa/202105-32 https://security.netapp.com/advisory/ntap-20210507-0006 https://access.redhat.com/security/cve/CVE-2021-3393 • CWE-209: Generation of Error Message Containing Sensitive Information •

CVSS: 8.8EPSS: 2%CPEs: 7EXPL: 0

A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. An attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL functions under the identity of a superuser. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. Se encontró un fallo en PostgreSQL versiones anteriores a 13.1, anteriores a 12.5, anteriores a 11.10, anteriores a 10.15, anteriores a 9.6.20 y anteriores a 9.5.24. Un atacante que tenga permiso para crear objetos no temporales en al menos un esquema puede ejecutar funciones SQL arbitrarias bajo la identidad de un superusuario. • https://bugzilla.redhat.com/show_bug.cgi?id=1894425 https://lists.debian.org/debian-lts-announce/2020/12/msg00005.html https://security.gentoo.org/glsa/202012-07 https://security.netapp.com/advisory/ntap-20201202-0003 https://www.postgresql.org/support/security https://access.redhat.com/security/cve/CVE-2020-25695 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •