CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 0CVE-2017-7548 – postgresql: lo_put() function ignores ACLs
https://notcve.org/view.php?id=CVE-2017-7548
10 Aug 2017 — PostgreSQL versions before 9.4.13, 9.5.8 and 9.6.4 are vulnerable to authorization flaw allowing remote authenticated attackers with no privileges on a large object to overwrite the entire contents of the object, resulting in a denial of service. PostgreSQL en sus versiones anteriores a 9.4.13, 9.5.8 y 9.6.4 es vulnerable a un fallo de autorización que permite que atacantes remotos sin privilegios sobre un gran objeto sobreescriban todo el contenido del objeto. Esto resultaría en una denegación de servicio.... • http://www.debian.org/security/2017/dsa-3935 • CWE-862: Missing Authorization •
CVSS: 9.8EPSS: 15%CPEs: 66EXPL: 0CVE-2017-7546 – postgresql: Empty password accepted in some authentication methods
https://notcve.org/view.php?id=CVE-2017-7546
10 Aug 2017 — PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allowing remote attackers to gain access to database accounts with an empty password. PostgreSQL en sus versiones anteriores a 9.2.22, 9.3.18, 9.4.13, 9.5.8 y 9.6.4 es vulnerable a un fallo de autenticación incorrecta que permite que atacantes remotos obtengan acceso a cuentas de la base de datos con una contraseña vacía. It was found that authenticating to a PostgreSQL database account with an... • http://www.debian.org/security/2017/dsa-3935 • CWE-287: Improper Authentication •
CVSS: 8.8EPSS: 0%CPEs: 65EXPL: 0CVE-2017-7547 – postgresql: pg_user_mappings view discloses passwords to users lacking server privileges
https://notcve.org/view.php?id=CVE-2017-7547
10 Aug 2017 — PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to authorization flaw allowing remote authenticated attackers to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so. PostgreSQL en sus versiones anteriores a 9.2.22, 9.3.18, 9.4.13, 9.5.8 y 9.6.4 es vulnerable a un fallo de autorización que permite que los atacantes remotos autenticados recuperen contraseñas de los mapeos de usuarios definidos por los ... • http://www.debian.org/security/2017/dsa-3935 • CWE-522: Insufficiently Protected Credentials •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2016-0768
https://notcve.org/view.php?id=CVE-2016-0768
06 Jun 2017 — PostgreSQL PL/Java after 9.0 does not honor access controls on large objects. PL/Java posterior a la versión 9.0 de PostgreSQL, no respeta los controles de acceso en objetos grandes. • https://tada.github.io/pljava/releasenotes.html • CWE-284: Improper Access Control •
CVSS: 7.5EPSS: 0%CPEs: 40EXPL: 0CVE-2017-7484 – postgresql: Selectivity estimators bypass SELECT privilege checks
https://notcve.org/view.php?id=CVE-2017-7484
12 May 2017 — It was found that some selectivity estimation functions in PostgreSQL before 9.2.21, 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3 did not check user privileges before providing information from pg_statistic, possibly leaking information. An unprivileged attacker could use this flaw to steal some information from tables they are otherwise not allowed to access. Se ha descubierto que algunas funciones de estimación de selectividad en PostgreSQL, en versiones anteriores ... • http://www.debian.org/security/2017/dsa-3851 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-285: Improper Authorization CWE-862: Missing Authorization •
CVSS: 7.4EPSS: 1%CPEs: 39EXPL: 0CVE-2017-7485 – postgresql: libpq ignores PGREQUIRESSL environment variable
https://notcve.org/view.php?id=CVE-2017-7485
12 May 2017 — In PostgreSQL 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3, it was found that the PGREQUIRESSL environment variable was no longer enforcing a SSL/TLS connection to a PostgreSQL server. An active Man-in-the-Middle attacker could use this flaw to strip the SSL/TLS protection from a connection between a client and a server. En PostgreSQL, en versiones 9.3.x anteriores a la 9.3.17, versiones 9.4.x anteriores a la 9.4.12, versiones 9.5.x anteriores a la 9.5.7, y versiones ... • http://www.debian.org/security/2017/dsa-3851 • CWE-311: Missing Encryption of Sensitive Data CWE-390: Detection of Error Condition Without Action •
CVSS: 7.5EPSS: 0%CPEs: 134EXPL: 0CVE-2017-7486 – postgresql: pg_user_mappings view discloses foreign server passwords
https://notcve.org/view.php?id=CVE-2017-7486
12 May 2017 — PostgreSQL versions 8.4 - 9.6 are vulnerable to information leak in pg_user_mappings view which discloses foreign server passwords to any user having USAGE privilege on the associated foreign server. Las versiones 8.4 a 9.6 de PostgreSQL son vulnerables a un filtrado de información en la vista pg_user_mappings que revela contraseñas de servidores extranjeros a cualquier usuario que tenga privilegio USAGE en el servidor extranjero asociado. It was found that the pg_user_mappings view could disclose informati... • http://www.debian.org/security/2017/dsa-3851 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-285: Improper Authorization CWE-522: Insufficiently Protected Credentials •
CVSS: 8.5EPSS: 3%CPEs: 47EXPL: 0CVE-2016-5423 – postgresql: CASE/WHEN with inlining can cause untrusted pointer dereference
https://notcve.org/view.php?id=CVE-2016-5423
12 Aug 2016 — PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 allow remote authenticated users to cause a denial of service (NULL pointer dereference and server crash), obtain sensitive memory information, or possibly execute arbitrary code via (1) a CASE expression within the test value subexpression of another CASE or (2) inlining of an SQL function that implements the equality operator used for a CASE expression involving values of different types. Postgre... • http://rhn.redhat.com/errata/RHSA-2016-1781.html • CWE-476: NULL Pointer Dereference CWE-822: Untrusted Pointer Dereference •
CVSS: 7.6EPSS: 1%CPEs: 47EXPL: 0CVE-2016-5424 – postgresql: privilege escalation via crafted database and role names
https://notcve.org/view.php?id=CVE-2016-5424
12 Aug 2016 — PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 might allow remote authenticated users with the CREATEDB or CREATEROLE role to gain superuser privileges via a (1) " (double quote), (2) \ (backslash), (3) carriage return, or (4) newline character in a (a) database or (b) role name that is mishandled during an administrative operation. PostgreSQL en versiones anteriores a 9.1.23, 9.2.x en versiones anteriores a 9.2.18, 9.3.x en versiones anteriore... • http://rhn.redhat.com/errata/RHSA-2016-1781.html • CWE-20: Improper Input Validation CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 0CVE-2016-3065
https://notcve.org/view.php?id=CVE-2016-3065
11 Apr 2016 — The (1) brin_page_type and (2) brin_metapage_info functions in the pageinspect extension in PostgreSQL before 9.5.x before 9.5.2 allows attackers to bypass intended access restrictions and consequently obtain sensitive server memory information or cause a denial of service (server crash) via a crafted bytea value in a BRIN index page. Las funciones (1) brin_page_type y (2) brin_metapage_info en la extensión pageinspect en PostgreSQL en versiones anteriores a 9.5.x en versiones anteriores a 9.5.2 permite a a... • http://git.postgresql.org/gitweb/?p=postgresql.git%3Ba=commitdiff%3Bh=bf78a6f107949fdfb513d1b45e30cefe04e09e4f • CWE-264: Permissions, Privileges, and Access Controls •