CVE-2013-1900
postgresql: Improper randomization of pgcrypto functions (requiring random seed)
Severity Score
8.8
*CVSS v3
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, and 8.4.x before 8.4.17, when using OpenSSL, generates insufficiently random numbers, which might allow remote authenticated users to have an unspecified impact via vectors related to the "contrib/pgcrypto functions."
PostgreSQL v9.2.x anterior a v9.2.4, v9.1.x anterior a v9.1.9, v9.0.x anterior a v9.0.13, y v8.4.x anterior a v8.4.17 cuando se utiliza OpenSSL, genera números insuficiente aleatorios, lo que podría permitir a usuarios remotos autenticados provocar un impacto no especificado a través de vectores relacionados con las funciones "contrib/pgcrypto".
Multiple vulnerabilities has been discovered and corrected in PostgreSQL 9.2.x before 9.2.3, 9.1.x before 9.1.8, 9.0.x before 9.0.12, 8.4.x before 8.4.16, and 8.3.x before 8.3.23 does not properly declare the enum_recv function in backend/utils/adt/enum.c, which causes it to be invoked with incorrect arguments and allows remote authenticated users to cause a denial of service or read sensitive process memory via a crafted SQL command, which triggers an array index error and an out-of-bounds read. Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows remote attackers to cause a denial of service , and allows remote authenticated users to modify configuration settings and execute arbitrary code, via a connection request using a database name that begins with a - (hyphen). PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, and 8.4.x before 8.4.17, when using OpenSSL, generates insufficiently random numbers, which might allow remote authenticated users to have an unspecified impact via vectors related to the contrib/pgcrypto functions. PostgreSQL 9.2.x before 9.2.4 and 9.1.x before 9.1.9 does not properly check REPLICATION privileges, which allows remote authenticated users to bypass intended backup restrictions by calling the pg_start_backup or pg_stop_backup functions. This advisory provides the latest versions of PostgreSQL that is not vulnerable to these issues.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2013-02-19 CVE Reserved
- 2013-04-04 CVE Published
- 2024-08-06 CVE Updated
- 2025-06-19 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-189: Numeric Errors
CAPEC
References (23)
| URL | Tag | Source |
|---|---|---|
| http://support.apple.com/kb/HT5880 | X_refsource_confirm |
|
| http://support.apple.com/kb/HT5892 | X_refsource_confirm |
|
| http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html | X_refsource_confirm |
|
| http://www.postgresql.org/docs/current/static/release-8-4-17.html | X_refsource_confirm | |
| http://www.postgresql.org/docs/current/static/release-9-0-13.html | X_refsource_confirm | |
| http://www.postgresql.org/docs/current/static/release-9-1-9.html | X_refsource_confirm | |
| http://www.postgresql.org/docs/current/static/release-9-2-4.html | X_refsource_confirm |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 9.2 Search vendor "Postgresql" for product "Postgresql" and version "9.2" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 9.2.1 Search vendor "Postgresql" for product "Postgresql" and version "9.2.1" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 9.2.2 Search vendor "Postgresql" for product "Postgresql" and version "9.2.2" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 9.2.3 Search vendor "Postgresql" for product "Postgresql" and version "9.2.3" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 9.1 Search vendor "Postgresql" for product "Postgresql" and version "9.1" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 9.1.1 Search vendor "Postgresql" for product "Postgresql" and version "9.1.1" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 9.1.2 Search vendor "Postgresql" for product "Postgresql" and version "9.1.2" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 9.1.3 Search vendor "Postgresql" for product "Postgresql" and version "9.1.3" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 9.1.4 Search vendor "Postgresql" for product "Postgresql" and version "9.1.4" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 9.1.5 Search vendor "Postgresql" for product "Postgresql" and version "9.1.5" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 9.1.6 Search vendor "Postgresql" for product "Postgresql" and version "9.1.6" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 9.1.7 Search vendor "Postgresql" for product "Postgresql" and version "9.1.7" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 9.1.8 Search vendor "Postgresql" for product "Postgresql" and version "9.1.8" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 9.0 Search vendor "Postgresql" for product "Postgresql" and version "9.0" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 9.0.1 Search vendor "Postgresql" for product "Postgresql" and version "9.0.1" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 9.0.2 Search vendor "Postgresql" for product "Postgresql" and version "9.0.2" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 9.0.3 Search vendor "Postgresql" for product "Postgresql" and version "9.0.3" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 9.0.4 Search vendor "Postgresql" for product "Postgresql" and version "9.0.4" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 9.0.5 Search vendor "Postgresql" for product "Postgresql" and version "9.0.5" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 9.0.6 Search vendor "Postgresql" for product "Postgresql" and version "9.0.6" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 9.0.7 Search vendor "Postgresql" for product "Postgresql" and version "9.0.7" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 9.0.8 Search vendor "Postgresql" for product "Postgresql" and version "9.0.8" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 9.0.9 Search vendor "Postgresql" for product "Postgresql" and version "9.0.9" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 9.0.10 Search vendor "Postgresql" for product "Postgresql" and version "9.0.10" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 9.0.11 Search vendor "Postgresql" for product "Postgresql" and version "9.0.11" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 9.0.12 Search vendor "Postgresql" for product "Postgresql" and version "9.0.12" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.4 Search vendor "Postgresql" for product "Postgresql" and version "8.4" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.4.1 Search vendor "Postgresql" for product "Postgresql" and version "8.4.1" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.4.2 Search vendor "Postgresql" for product "Postgresql" and version "8.4.2" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.4.3 Search vendor "Postgresql" for product "Postgresql" and version "8.4.3" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.4.4 Search vendor "Postgresql" for product "Postgresql" and version "8.4.4" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.4.5 Search vendor "Postgresql" for product "Postgresql" and version "8.4.5" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.4.6 Search vendor "Postgresql" for product "Postgresql" and version "8.4.6" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.4.7 Search vendor "Postgresql" for product "Postgresql" and version "8.4.7" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.4.8 Search vendor "Postgresql" for product "Postgresql" and version "8.4.8" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.4.9 Search vendor "Postgresql" for product "Postgresql" and version "8.4.9" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.4.10 Search vendor "Postgresql" for product "Postgresql" and version "8.4.10" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.4.11 Search vendor "Postgresql" for product "Postgresql" and version "8.4.11" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.4.12 Search vendor "Postgresql" for product "Postgresql" and version "8.4.12" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.4.13 Search vendor "Postgresql" for product "Postgresql" and version "8.4.13" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.4.14 Search vendor "Postgresql" for product "Postgresql" and version "8.4.14" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.4.15 Search vendor "Postgresql" for product "Postgresql" and version "8.4.15" | - |
Affected
| ||||||
| Postgresql Search vendor "Postgresql" | Postgresql Search vendor "Postgresql" for product "Postgresql" | 8.4.16 Search vendor "Postgresql" for product "Postgresql" and version "8.4.16" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 8.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "8.04" | lts |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 10.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "10.04" | lts |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 11.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "11.10" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 12.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "12.04" | lts |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 12.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "12.10" | - |
Affected
| ||||||