CVE-2023-41038 – Server crash when using specific form of SET BIND statement
https://notcve.org/view.php?id=CVE-2023-41038
Firebird is a relational database. Versions 4.0.0 through 4.0.3 and version 5.0 beta1 are vulnerable to a server crash when a user uses a specific form of SET BIND statement. Any non-privileged user with minimum access to a server may type a statement with a long `CHAR` length, which causes the server to crash due to stack corruption. Versions 4.0.4.2981 and 5.0.0.117 contain fixes for this issue. No known workarounds are available. • https://firebirdsql.org/en/snapshot-builds https://github.com/FirebirdSQL/firebird/security/advisories/GHSA-6fv8-8rwr-9692 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVE-2017-11509
https://notcve.org/view.php?id=CVE-2017-11509
An authenticated remote attacker can execute arbitrary code in Firebird SQL Server versions 2.5.7 and 3.0.2 by executing a malformed SQL statement. Un atacante remoto autenticado puede ejecutar código arbitrario en Firebird SQL Server, versiones 2.5.7 y 3.0.2, ejecutando una instrucción SQL mal formada. • https://lists.debian.org/debian-lts-announce/2018/05/msg00005.html https://lists.debian.org/debian-lts-announce/2020/02/msg00036.html https://lists.debian.org/debian-lts-announce/2021/11/msg00018.html https://www.tenable.com/security/research/tra-2017-36 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2017-6369
https://notcve.org/view.php?id=CVE-2017-6369
Insufficient checks in the UDF subsystem in Firebird 2.5.x before 2.5.7 and 3.0.x before 3.0.2 allow remote authenticated users to execute code by using a 'system' entrypoint from fbudf.so. Verificaciones insuficientes en el subsistema UDF en Firebird 2.5.x en versiones anteriores a 2.5.7 y 3.0.x en versiones anteriores a 3.0.2 permiten a usuarios remotos autenticados ejecutar código utilizando un punto de entrada 'system' desde fbudf.so. • http://tracker.firebirdsql.org/browse/CORE-5474 http://www.debian.org/security/2017/dsa-3824 http://www.securityfocus.com/bid/97070 https://usn.ubuntu.com/3929-1 • CWE-862: Missing Authorization •
CVE-2016-1569
https://notcve.org/view.php?id=CVE-2016-1569
FireBird 2.5.5 allows remote authenticated users to cause a denial of service (daemon crash) by using service manager to invoke the gbak utility with an invalid parameter. FireBird 2.5.5 permite a usuarios autenticados provocar una denegación de servicio (caída de demonio) utilizando el servicio manager para invocar la utilidad gbak con un parámetro no válido. • http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177119.html http://sourceforge.net/p/firebird/code/62783 http://tracker.firebirdsql.org/browse/CORE-5068 http://www.openwall.com/lists/oss-security/2016/01/10/2 http://www.openwall.com/lists/oss-security/2016/01/10/3 • CWE-20: Improper Input Validation •
CVE-2014-9323
https://notcve.org/view.php?id=CVE-2014-9323
The xdr_status_vector function in Firebird before 2.1.7 and 2.5.x before 2.5.3 SU1 allows remote attackers to cause a denial of service (NULL pointer dereference, segmentation fault, and crash) via an op_response action with a non-empty status. La función xdr_status_vector en Firebird anterior a 2.1.7 y 2.5.x anterior a 2.5.3 SU1 permite a atacantes remotos causar una denegación de servicio (referencia a puntero nulo, fallo de segmentación y caída) a través de una acción op_response con un estado 'no vacío'. • http://advisories.mageia.org/MGASA-2014-0523.html http://lists.opensuse.org/opensuse-security-announce/2014-12/msg00012.html http://tracker.firebirdsql.org/browse/CORE-4630 http://www.debian.org/security/2014/dsa-3109 http://www.firebirdsql.org/en/news/security-updates-for-v2-1-and-v2-5-series-66011 http://www.mandriva.com/security/advisories?name=MDVSA-2015:172 https://usn.ubuntu.com/3929-1 • CWE-476: NULL Pointer Dereference •