CVSS: 10.0EPSS: 1%CPEs: 57EXPL: 0CVE-2014-0061 – postgresql: privilege escalation via procedural language validator functions
https://notcve.org/view.php?id=CVE-2014-0061
21 Feb 2014 — The validator functions for the procedural languages (PLs) in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to gain privileges via a function that is (1) defined in another language or (2) not allowed to be directly called by the user due to permissions. Las funciones de validación para los lenguajes procedurales (PLs) en PostgreSQL anterior a 8.4.20, 9.0.x anterior a 9.0.16, 9.1.x anterior a 9.1.12, 9.2.x ante... • http://archives.neohapsis.com/archives/bugtraq/2014-10/0103.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 10.0EPSS: 6%CPEs: 57EXPL: 0CVE-2014-0065 – postgresql: possible buffer overflow flaws
https://notcve.org/view.php?id=CVE-2014-0065
21 Feb 2014 — Multiple buffer overflows in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to have unspecified impact and attack vectors, a different vulnerability than CVE-2014-0063. Múltiples desbordamientos de buffer en PostgreSQL anterior a 8.4.20, 9.0.x anterior a 9.0.16, 9.1.x anterior a 9.1.12, 9.2.x anterior a 9.2.7 y 9.3.x anterior a 9.3.3 permiten a usuarios remotos autenticados tener un impacto y vectores de ataque ... • http://archives.neohapsis.com/archives/bugtraq/2014-10/0103.html • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 10.0EPSS: 1%CPEs: 57EXPL: 0CVE-2014-0060 – postgresql: SET ROLE without ADMIN OPTION allows adding and removing group members
https://notcve.org/view.php?id=CVE-2014-0060
21 Feb 2014 — PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 does not properly enforce the ADMIN OPTION restriction, which allows remote authenticated members of a role to add or remove arbitrary users to that role by calling the SET ROLE command before the associated GRANT command. PostgreSQL anterior a 8.4.20, 9.0.x anterior a 9.0.16, 9.1.x anterior a 9.1.12, 9.2.x anterior a 9.2.7 y 9.3.x anterior a 9.3.3 no fuerza debidamente la restricción de ADMIN OPTI... • http://archives.neohapsis.com/archives/bugtraq/2014-10/0103.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 9.8EPSS: 0%CPEs: 130EXPL: 0CVE-2013-4422 – Gentoo Linux Security Advisory 201311-03
https://notcve.org/view.php?id=CVE-2013-4422
23 Oct 2013 — SQL injection vulnerability in Quassel IRC before 0.9.1, when Qt 4.8.5 or later and PostgreSQL 8.2 or later are used, allows remote attackers to execute arbitrary SQL commands via a \ (backslash) in a message. Vulnerabilidad de inyección SQL en Quassel IRC anterior a la versión 0.9.1, cuando Qt 4.8.5 o posteriores y PostgreSQL 8.2 o posteriores son usados, permite a atacantes remotos ejecutar comandos SQL arbitrarios a través de una \ (barra invertida) en un mensaje. Two vulnerabilities in Quassel may resul... • http://bugs.quassel-irc.org/issues/1244 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 66EXPL: 0CVE-2013-1902 – Apple Security Advisory 2013-09-12-1
https://notcve.org/view.php?id=CVE-2013-1902
04 Apr 2013 — PostgreSQL, 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, 8.4.x before 8.4.17, and 8.3.x before 8.3.23 generates insecure temporary files with predictable filenames, which has unspecified impact and attack vectors related to "graphical installers for Linux and Mac OS X." PostgreSQL, v9.2.x anterior a v9.2.4, v9.1.x anterior a v9.1.9, v9.0.x anterior a v9.0.13, v8.4.x anterior a v8.4.17, y v8.3.x anterior a v8.3.23 genera archivos temporales inseguros con nombres predecibles, lo cual tiene un ... • http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html •
CVSS: 10.0EPSS: 0%CPEs: 66EXPL: 0CVE-2013-1903 – Apple Security Advisory 2013-09-12-1
https://notcve.org/view.php?id=CVE-2013-1903
04 Apr 2013 — PostgreSQL, possibly 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, 8.4.x before 8.4.17, and 8.3.x before 8.3.23 incorrectly provides the superuser password to scripts related to "graphical installers for Linux and Mac OS X," which has unspecified impact and attack vectors. PostgreSQL, probablemente en v9.2.x anterior a v9.2.4, v9.1.x anterior a v9.1.9, v9.0.x anterior a v9.0.13, v8.4.x anterior a v8.4.17, y v8.3.x anterior a v8.3.23 proporciona incorrectamente la contraseña de superusuario a ... • http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 3%CPEs: 62EXPL: 0CVE-2013-0255 – postgresql: array indexing error in enum_recv()
https://notcve.org/view.php?id=CVE-2013-0255
13 Feb 2013 — PostgreSQL 9.2.x before 9.2.3, 9.1.x before 9.1.8, 9.0.x before 9.0.12, 8.4.x before 8.4.16, and 8.3.x before 8.3.23 does not properly declare the enum_recv function in backend/utils/adt/enum.c, which causes it to be invoked with incorrect arguments and allows remote authenticated users to cause a denial of service (server crash) or read sensitive process memory via a crafted SQL command, which triggers an array index error and an out-of-bounds read. PostgreSQL v9.2.x anteriores a v9.2.3, v9.1.x anteriores ... • http://lists.fedoraproject.org/pipermail/package-announce/2013-February/098586.html • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 1%CPEs: 22EXPL: 0CVE-2012-3489 – postgresql: File disclosure through XXE in xmlparse by DTD validation
https://notcve.org/view.php?id=CVE-2012-3489
03 Oct 2012 — The xml_parse function in the libxml2 support in the core server component in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 allows remote authenticated users to determine the existence of arbitrary files or URLs, and possibly obtain file or URL content that triggers a parsing error, via an XML value that refers to (1) a DTD or (2) an entity, related to an XML External Entity (aka XXE) issue. La función xml_parse en el soporte libxml2 en el componente de servidor cen... • http://lists.apple.com/archives/security-announce/2013/Mar/msg00002.html • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 10.0EPSS: 0%CPEs: 47EXPL: 0CVE-2012-3488 – module): XXE by applying XSL stylesheet to the document
https://notcve.org/view.php?id=CVE-2012-3488
03 Oct 2012 — The libxslt support in contrib/xml2 in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 does not properly restrict access to files and URLs, which allows remote authenticated users to modify data, obtain sensitive information, or trigger outbound traffic to arbitrary external hosts by leveraging (1) stylesheet commands that are permitted by the libxslt security options or (2) an xslt_process feature, related to an XML External Entity (aka XXE) issue. El soporte libxslt... • http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705 • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 10.0EPSS: 5%CPEs: 39EXPL: 0CVE-2012-0868 – postgresql: SQL injection due unsanitized newline characters in object names
https://notcve.org/view.php?id=CVE-2012-0868
18 Jul 2012 — CRLF injection vulnerability in pg_dump in PostgreSQL 8.3.x before 8.3.18, 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 allows user-assisted remote attackers to execute arbitrary SQL commands via a crafted file containing object names with newlines, which are inserted into an SQL script that is used when the database is restored. Vulnerabilidad de inyección CRLF en pg_dump en PostgreSQL v8.3.x antes de v8.3.18, v8.4.x antes de v8.4.11, v9.0.x antes de v9.0.7 y v9.1.x antes de v9.1.3 permi... • http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •