CVSS: 10.0EPSS: 0%CPEs: 57EXPL: 0CVE-2014-0060 – postgresql: SET ROLE without ADMIN OPTION allows adding and removing group members
https://notcve.org/view.php?id=CVE-2014-0060
21 Feb 2014 — PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 does not properly enforce the ADMIN OPTION restriction, which allows remote authenticated members of a role to add or remove arbitrary users to that role by calling the SET ROLE command before the associated GRANT command. PostgreSQL anterior a 8.4.20, 9.0.x anterior a 9.0.16, 9.1.x anterior a 9.1.12, 9.2.x anterior a 9.2.7 y 9.3.x anterior a 9.3.3 no fuerza debidamente la restricción de ADMIN OPTI... • http://archives.neohapsis.com/archives/bugtraq/2014-10/0103.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 10.0EPSS: 0%CPEs: 57EXPL: 0CVE-2014-0062 – postgresql: CREATE INDEX race condition possibly leading to privilege escalation
https://notcve.org/view.php?id=CVE-2014-0062
21 Feb 2014 — Race condition in the (1) CREATE INDEX and (2) unspecified ALTER TABLE commands in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allows remote authenticated users to create an unauthorized index or read portions of unauthorized tables by creating or deleting a table with the same name during the timing window. La condición de carrera en los comandos (1) CREATE INDEX y (2) ALTER TABLE no especificado en PostgreSQL anterior a 8.4.20, 9.0.x anter... • http://archives.neohapsis.com/archives/bugtraq/2014-10/0103.html • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVSS: 9.8EPSS: 0%CPEs: 130EXPL: 0CVE-2013-4422 – Gentoo Linux Security Advisory 201311-03
https://notcve.org/view.php?id=CVE-2013-4422
23 Oct 2013 — SQL injection vulnerability in Quassel IRC before 0.9.1, when Qt 4.8.5 or later and PostgreSQL 8.2 or later are used, allows remote attackers to execute arbitrary SQL commands via a \ (backslash) in a message. Vulnerabilidad de inyección SQL en Quassel IRC anterior a la versión 0.9.1, cuando Qt 4.8.5 o posteriores y PostgreSQL 8.2 o posteriores son usados, permite a atacantes remotos ejecutar comandos SQL arbitrarios a través de una \ (barra invertida) en un mensaje. Two vulnerabilities in Quassel may resul... • http://bugs.quassel-irc.org/issues/1244 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 48EXPL: 0CVE-2013-1900 – postgresql: Improper randomization of pgcrypto functions (requiring random seed)
https://notcve.org/view.php?id=CVE-2013-1900
04 Apr 2013 — PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, and 8.4.x before 8.4.17, when using OpenSSL, generates insufficiently random numbers, which might allow remote authenticated users to have an unspecified impact via vectors related to the "contrib/pgcrypto functions." PostgreSQL v9.2.x anterior a v9.2.4, v9.1.x anterior a v9.1.9, v9.0.x anterior a v9.0.13, y v8.4.x anterior a v8.4.17 cuando se utiliza OpenSSL, genera números insuficiente aleatorios, lo que podría permitir a usuarios rem... • http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html • CWE-189: Numeric Errors •
CVSS: 8.8EPSS: 96%CPEs: 31EXPL: 1CVE-2013-1899 – PostgreSQL Database Name Command Line Flag Injection
https://notcve.org/view.php?id=CVE-2013-1899
04 Apr 2013 — Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows remote attackers to cause a denial of service (file corruption), and allows remote authenticated users to modify configuration settings and execute arbitrary code, via a connection request using a database name that begins with a "-" (hyphen). Vulnerabilidad de inyección de argumentos en PostgreSQL 9.2.x anterior a 9.2.4, 9.1.x anterior a 9.1.9, y 9.0.x anterior a 9.0.13, permite a atacantes... • https://packetstorm.news/files/id/180960 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 8.8EPSS: 0%CPEs: 18EXPL: 0CVE-2013-1901 – Apple Security Advisory 2013-09-12-1
https://notcve.org/view.php?id=CVE-2013-1901
04 Apr 2013 — PostgreSQL 9.2.x before 9.2.4 and 9.1.x before 9.1.9 does not properly check REPLICATION privileges, which allows remote authenticated users to bypass intended backup restrictions by calling the (1) pg_start_backup or (2) pg_stop_backup functions. PostgreSQL v9.2.x anterior a v9.2.4, v9.1.x anterior a v9.1.9 no comprueba correctamente los privilegios de "REPLICATION", lo que permite a usuarios remotos autenticados para eludir restricciones de seguridad destinados a la llamada (1) pg_start_backup o las funci... • http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 10.0EPSS: 0%CPEs: 66EXPL: 0CVE-2013-1902 – Apple Security Advisory 2013-09-12-1
https://notcve.org/view.php?id=CVE-2013-1902
04 Apr 2013 — PostgreSQL, 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, 8.4.x before 8.4.17, and 8.3.x before 8.3.23 generates insecure temporary files with predictable filenames, which has unspecified impact and attack vectors related to "graphical installers for Linux and Mac OS X." PostgreSQL, v9.2.x anterior a v9.2.4, v9.1.x anterior a v9.1.9, v9.0.x anterior a v9.0.13, v8.4.x anterior a v8.4.17, y v8.3.x anterior a v8.3.23 genera archivos temporales inseguros con nombres predecibles, lo cual tiene un ... • http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html •
CVSS: 10.0EPSS: 0%CPEs: 66EXPL: 0CVE-2013-1903 – Apple Security Advisory 2013-09-12-1
https://notcve.org/view.php?id=CVE-2013-1903
04 Apr 2013 — PostgreSQL, possibly 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, 8.4.x before 8.4.17, and 8.3.x before 8.3.23 incorrectly provides the superuser password to scripts related to "graphical installers for Linux and Mac OS X," which has unspecified impact and attack vectors. PostgreSQL, probablemente en v9.2.x anterior a v9.2.4, v9.1.x anterior a v9.1.9, v9.0.x anterior a v9.0.13, v8.4.x anterior a v8.4.17, y v8.3.x anterior a v8.3.23 proporciona incorrectamente la contraseña de superusuario a ... • http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 1%CPEs: 62EXPL: 0CVE-2013-0255 – postgresql: array indexing error in enum_recv()
https://notcve.org/view.php?id=CVE-2013-0255
13 Feb 2013 — PostgreSQL 9.2.x before 9.2.3, 9.1.x before 9.1.8, 9.0.x before 9.0.12, 8.4.x before 8.4.16, and 8.3.x before 8.3.23 does not properly declare the enum_recv function in backend/utils/adt/enum.c, which causes it to be invoked with incorrect arguments and allows remote authenticated users to cause a denial of service (server crash) or read sensitive process memory via a crafted SQL command, which triggers an array index error and an out-of-bounds read. PostgreSQL v9.2.x anteriores a v9.2.3, v9.1.x anteriores ... • http://lists.fedoraproject.org/pipermail/package-announce/2013-February/098586.html • CWE-20: Improper Input Validation •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2012-1618
https://notcve.org/view.php?id=CVE-2012-1618
06 Oct 2012 — Interaction error in the PostgreSQL JDBC driver before 8.2, when used with a PostgreSQL server with the "standard_conforming_strings" option enabled, such as the default configuration of PostgreSQL 9.1, does not properly escape unspecified JDBC statement parameters, which allows remote attackers to perform SQL injection attacks. NOTE: as of 20120330, it was claimed that the upstream developer planned to dispute this issue, but an official dispute has not been posted as of 20121005. Error de interacción en e... • http://archives.neohapsis.com/archives/bugtraq/2012-03/0126.html •