Releases129
Frequency11 months 3 weeks
Last Release
**PostgreSQL** is a powerful, open-source **object-relational database management system (ORDBMS)**, developed at the **University of California, Berkeley**. It extends the POSTGRES project and pioneered features later adopted by other commercial systems. PostgreSQL is **free to use, modify, and distribute** for private, commercial, or academic purposes. ## Features - See the [Feature Matrix](https://www.postgresql.org/about/featurematrix) ## Package parameters | Parameter | Description | |------------|--------------| | `/AllowRemote` | Enables remote connections (adds entries to `pg_hba.conf`). | | `/Password` | Sets password for `postgres` user. If omitted, one is generated. Ignored if PostgreSQL already exists. | | `/Port` | Database server port. Defaults to `5432` or next available port. | | `/NoPath` | Prevents adding PostgreSQL `bin` directory to `PATH`. | Other parameters could be set via `--ia` argument, example: ```powershell choco install postgresql13 --params '/Password:test /Port:5433' --ia '--enable-components server,commandlinetools' ``` Check all [installer](https://www.enterprisedb.com/downloads/postgres-postgresql-downloads) options by adding `--help` as command line argument. ## Notes - Test installation (specify your password): `$Env:PGPASSWORD='test'; '\conninfo' | psql -Upostgres` This should output: `You are connected to database "postgres" as user "postgres" on host "localhost" at port "5432"` - This package will install PostgreSQL to `$Env:ProgramFiles\PostgreSQL\[MajorVersion]`. - If you have problems during installation see [troubleshooting page](https://wiki.postgresql.org/wiki/Troubleshooting_Installation). - If you didn't specify password during setup and didn't record the generated one, you need manually reset it using the following steps: - Open file `data\pg_hba.conf` in PostgreSql installation directory - Change `METHOD` to `trust` and restart service with `Restart-Service postgresql*` - Execute `"alter user postgres with password '[my password]';" | psql -Upostgres` - Revert back `data\pg_hba.conf` to METHOD `md5` and restart service ### Virtual package Each major version has its own package: `postgresql` **Virtual package** [postgresql](https://community.chocolatey.org/packages/postgresql) also contains all versions that depend on adequate major version, but using it without problems require some special choco parameters. To propagate package parameters to dependencies use `--params-global` choco install parameter with virtual package `postgresql`. Assuming latest version is 12, to provide password the following two examples result in identical installation: ```sh choco install postgresql --params '/Password:test' --params-global choco install postgresql12 --params '/Password:test' ``` To uninstall dependent package use `--force-dependencies`: ```sh # The following two examples are identical choco uninstall postgresql --force-dependencies choco uninstall postgresql12 postgresql # This example uninstalls only postgresql virtual package and not postgresql12 choco uninstall postgresql ``` To force reinstallation via virtual package use `--force-dependencies`: ```sh # The following two examples are identical choco install postgresql --force --force-dependencies choco install postgresql12 --force --force-dependencies # This will reinstall only postgresql virtual package and not its dependency postgresql12 choco install postgresql -force # This one is different then the first one as vcredist140 dependency is not reinstalled choco install postgresql12 --force ``` **Please Note**: This is an automatically updated package. If you find it is out of date by more than a day or two, please contact the maintainer(s) and let them know [here](https://github.com/mkevenaar/chocolatey-packages/issues) that the package is no longer updating correctly.

CVE History

CVEAffectedPublishedCVSS v3CVSS v2
>= 16.0, < 16.14, >= 17.0, < 17.10, >= 18.0, < 18.43.7 LOW

SQL injection in PostgreSQL logical replication ALTER SUBSCRIPTION ... REFRESH PUBLICATION allows a subscriber table creator to execute arbitrary SQL with the subscription's publication-side credentials. The attack takes effect at the next REFRESH PUBLICATION. Within major versions 16, 17, and 18, minor versions before PostgreSQL 18.4, 17.10, and 16.14 are affected. Versions before PostgreSQL 16 are unaffected.

< 14.23, >= 15.0, < 15.18, >= 16.0, < 16.14, >= 17.0, < 17.10, >= 18.0, < 18.48.8 HIGH

Stack buffer overflow in PostgreSQL module "refint" allows an unprivileged database user to execute arbitrary code as the operating system user running the database. A distinct attack is possible if the application declares a user-controlled column as a "refint" cascade primary key and facilitates user-controlled updates to that column. In that case, a SQL injection allows a primary key update value provider to execute arbitrary SQL as the database user performing the primary key update. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

>= 18.0, < 18.44.3 MEDIUM

Buffer over-read in PostgreSQL function pg_restore_attribute_stats() accepts array values of unmatched length, which causes query planning to read past end of one array. This allows a table maintainer to infer memory values past that array end. Within major version 18, minor versions before PostgreSQL 18.4 are affected. Versions before PostgreSQL 18 are unaffected.

< 14.23, >= 15.0, < 15.18, >= 16.0, < 16.14, >= 17.0, < 17.10, >= 18.0, < 18.47.5 HIGH

Uncontrolled recursion in PostgreSQL SSL and GSS negotiation allows an attacker able to connect to a PostgreSQL AF_UNIX socket to achieve sustained denial of service. If SSL and GSS are both disabled, an attacker can do the same via access to a PostgreSQL TCP socket. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

< 14.23, >= 15.0, < 15.18, >= 16.0, < 16.14, >= 17.0, < 17.10, >= 18.0, < 18.46.5 MEDIUM

Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed passwords originating in upgrades from PostgreSQL 13 or earlier. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

< 14.23, >= 15.0, < 15.18, >= 16.0, < 16.14, >= 17.0, < 17.10, >= 18.0, < 18.48.8 HIGH

Use of inherently dangerous function PQfn(..., result_is_int=0, ...) in PostgreSQL libpq lo_export(), lo_read(), lo_lseek64(), and lo_tell64() functions allows the server superuser to overwrite a client stack buffer with an arbitrarily-large response. Like gets(), PQfn(..., result_is_int=0, ...) stores arbitrary-length, server-determined data into a buffer of unspecified size. Because both the \lo_export command in psql and pg_dump call lo_read(), the server superuser can overwrite pg_dump or psql stack memory. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

>= 17.0, < 17.10, >= 18.0, < 18.47.2 HIGH

SQL injection in PostgreSQL pg_createsubscriber allows an attacker with pg_create_subscription rights to execute arbitrary SQL as a superuser. The attack takes effect when pg_createsubscriber next runs. Within major versions 17 and 18, minor versions before PostgreSQL 18.4 and 17.10 are affected. Versions before PostgreSQL 17 are unaffected.

< 14.23, >= 15.0, < 15.18, >= 16.0, < 16.14, >= 17.0, < 17.10, >= 18.0, < 18.48.8 HIGH

Symlink following in PostgreSQL pg_basebackup plain format and in pg_rewind allows an origin superuser to overwrite local files, e.g. /var/lib/postgres/.bashrc, that hijack the operating system account. It will remain the case that starting the server after these commands implicitly trusts the origin superuser, due to features like shared_preload_libraries. Hence, the attack has practical implications only if one takes relevant action between these commands and server start, like moving the files to a different VM or snapshotting the VM. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

< 14.23, >= 15.0, < 15.18, >= 16.0, < 16.14, >= 17.0, < 17.10, >= 18.0, < 18.45.4 MEDIUM

Missing authorization in PostgreSQL CREATE TYPE allows an object creator to hijack other queries that use search_path to find user-defined types, including extension-defined types. That is to say, the victim will execute arbitrary SQL functions of the attacker's choice. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

< 14.23, >= 15.0, < 15.18, >= 16.0, < 16.14, >= 17.0, < 17.10, >= 18.0, < 18.44.3 MEDIUM

Externally-controlled format string in PostgreSQL timeofday() function allows an attacker to retrieve portions of server memory, via crafted timezone zones. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

< 14.23, >= 15.0, < 15.18, >= 16.0, < 16.14, >= 17.0, < 17.10, >= 18.0, < 18.48.8 HIGH

Integer wraparound in multiple PostgreSQL server features allows an unprivileged database user to cause the server to undersize an allocation and write out-of-bounds. This may execute arbitrary code as the operating system user running the database. In applications that pass gigabyte-scale user inputs to the relevant database functions, the application input provider may achieve a segmentation fault. Versions before PostgreSQL 18.4, 17.10, 16.14, 15.18, and 14.23 are affected.

>= 14.0, < 14.21, >= 15.0, < 15.16, >= 16.0, < 16.12, >= 17.0, < 17.8, >= 18.0, < 18.28.8 HIGH

Heap buffer overflow in PostgreSQL pgcrypto allows a ciphertext provider to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

>= 14.0, < 14.21, >= 15.0, < 15.16, >= 16.0, < 16.12, >= 17.0, < 17.8, >= 18.0, < 18.24.3 MEDIUM

Improper validation of type "oidvector" in PostgreSQL allows a database user to disclose a few bytes of server memory. We have not ruled out viability of attacks that arrange for presence of confidential information in disclosed bytes, but they seem unlikely. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

>= 14.0, < 14.21, >= 15.0, < 15.16, >= 16.0, < 16.12, >= 17.0, < 17.8, >= 18.0, < 18.28.8 HIGH

Missing validation of multibyte character length in PostgreSQL text manipulation allows a database user to issue crafted queries that achieve a buffer overrun. That suffices to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

>= 18.0, < 18.28.2 HIGH

Heap buffer overflow in PostgreSQL pg_trgm allows a database user to achieve unknown impacts via a crafted input string. The attacker has limited control over the byte patterns to be written, but we have not ruled out the viability of attacks that lead to privilege escalation. PostgreSQL 18.1 and 18.0 are affected.

>= 14.0, < 14.21, >= 15.0, < 15.16, >= 16.0, < 16.12, >= 17.0, < 17.8, >= 18.0, < 18.28.8 HIGH

Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.

>= 17.0, < 17.1, >= 16.0, < 16.5, >= 15.0, < 15.9, >= 14.0, < 14.14, >= 13.0, < 13.17, >= 12.0, < 12.218.8 HIGH

Incorrect control of environment variables in PostgreSQL PL/Perl allows an unprivileged database user to change sensitive process environment variables (e.g. PATH). That often suffices to enable arbitrary code execution, even if the attacker lacks a database server operating system user. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

>= 16.0, < 16.5, >= 15.0, < 15.9, >= 14.0, < 14.14, >= 13.0, < 13.17, >= 12.0, < 12.21, = 17.04.2 MEDIUM

Incorrect privilege assignment in PostgreSQL allows a less-privileged application user to view or change different rows from those intended. An attack requires the application to use SET ROLE, SET SESSION AUTHORIZATION, or an equivalent feature. The problem arises when an application query uses parameters from the attacker or conveys query results to the attacker. If that query reacts to current_setting('role') or the current user ID, it may modify or return data as though the session had not used SET ROLE or SET SESSION AUTHORIZATION. The attacker does not control which incorrect user ID applies. Query text from less-privileged sources is not a concern here, because SET ROLE and SET SESSION AUTHORIZATION are not sandboxes for unvetted queries. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

>= 16.0, < 16.5, >= 15.0, < 15.9, >= 14.0, < 14.14, >= 13.0, < 13.17, >= 12.0, < 12.21, = 17.03.1 LOW

Client use of server error message in PostgreSQL allows a server not trusted under current SSL or GSS settings to furnish arbitrary non-NUL bytes to the libpq application. For example, a man-in-the-middle attacker could send a long error message that a human or screen-scraper user of psql mistakes for valid query results. This is probably not a concern for clients where the user interface unambiguously indicates the boundary between one error message and other text. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

>= 17.0, < 17.1, >= 16.0, < 16.5, >= 15.0, < 15.9, >= 14.0, < 14.14, >= 13.0, < 13.17, >= 12.0, < 12.214.2 MEDIUM

Incomplete tracking in PostgreSQL of tables with row security allows a reused query to view or change different rows from those intended. CVE-2023-2455 and CVE-2016-2193 fixed most interaction between row security and user ID changes. They missed cases where a subquery, WITH query, security invoker view, or SQL-language function references a table with a row-level security policy. This has the same consequences as the two earlier CVEs. That is to say, it leads to potentially incorrect policies being applied in cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy. An attacker must tailor an attack to a particular application's pattern of query plan reuse, user ID changes, and role-specific row security policies. Versions before PostgreSQL 17.1, 16.5, 15.9, 14.14, 13.17, and 12.21 are affected.

>= 16.0, < 16.4, >= 15.0, < 15.8, >= 14.0, < 14.13, >= 13.0, < 13.16, >= 12.0, < 12.208.8 HIGH

Time-of-check Time-of-use (TOCTOU) race condition in pg_dump in PostgreSQL allows an object creator to execute arbitrary SQL functions as the user running pg_dump, which is often a superuser. The attack involves replacing another relation type with a view or foreign table. The attack requires waiting for pg_dump to start, but winning the race condition is trivial if the attacker retains an open transaction. Versions before PostgreSQL 16.4, 15.8, 14.13, 13.16, and 12.20 are affected.

>= 16.0, < 16.3, >= 15.0, < 15.7, >= 14.0, < 14.123.1 LOW

Missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs allows an unprivileged database user to read most common values and other statistics from CREATE STATISTICS commands of other users. The most common values may reveal column values the eavesdropper could not otherwise read or results of functions they cannot execute. Installing an unaffected version only fixes fresh PostgreSQL installations, namely those that are created with the initdb utility after installing that version. Current PostgreSQL installations will remain vulnerable until they follow the instructions in the release notes. Within major versions 14-16, minor versions before PostgreSQL 16.3, 15.7, and 14.12 are affected. Versions before PostgreSQL 14 are unaffected.

= 15.19.8 CRITICAL

Supabase PostgreSQL v15.1 was discovered to contain a SQL injection vulnerability via the component /pg_meta/default/query. NOTE: the vendor's position is that this is an intended feature; also, it exists in the Supabase dashboard product, not the Supabase PostgreSQL product. Specifically, /pg_meta/default/query is for SQL queries that are entered in an intended UI by an authorized user. Nothing is injected.

>= 15.0, < 15.6, >= 14.0, < 14.11, >= 13.0, < 13.14, >= 12.0, < 12.188 HIGH

Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. Versions before PostgreSQL 16.2, 15.6, 14.11, 13.14, and 12.18 are affected.

= 16.0, >= 15.0, < 15.5, >= 14.0, < 14.10, >= 13.0, < 13.13, >= 12.0, < 12.17, >= 11.0, < 11.228.8 HIGH

A flaw was found in PostgreSQL that allows authenticated database users to execute arbitrary code through missing overflow checks during SQL array value modification. This issue exists due to an integer overflow during array modification where a remote user can trigger the overflow by providing specially crafted data. This enables the execution of arbitrary code on the target system, allowing users to write arbitrary bytes to memory and extensively read the server's memory.

= 16.0, >= 15.0, < 15.5, >= 14.0, < 14.10, >= 13.0, < 13.13, >= 12.0, < 12.17, >= 11.0, < 11.222.2 LOW

A flaw was found in PostgreSQL involving the pg_cancel_backend role that signals background workers, including the logical replication launcher, autovacuum workers, and the autovacuum launcher. Successful exploitation requires a non-core extension with a less-resilient background worker and would affect that specific background worker only. This issue may allow a remote high privileged user to launch a denial of service (DoS) attack.

= 16.0, >= 15.0, < 15.5, >= 14.0, < 14.10, >= 13.0, < 13.13, >= 12.0, < 12.17, >= 11.0, < 11.224.3 MEDIUM

A memory disclosure vulnerability was found in PostgreSQL that allows remote users to access sensitive information by exploiting certain aggregate function calls with 'unknown'-type arguments. Handling 'unknown'-type values from string literals without type designation can disclose bytes, potentially revealing notable and confidential information. This issue exists due to excessive data output in aggregate function calls, enabling remote users to read some portion of system memory.

= 12.24.4 MEDIUM

An issue was discovered in PostgreSQL 12.2 allows attackers to cause a denial of service via repeatedly sending SIGHUP signals. NOTE: this is disputed by the vendor because untrusted users cannot send SIGHUP signals; they can only be sent by a PostgreSQL superuser, a user with pg_reload_conf access, or a user with sufficient privileges at the OS level (the postgres account or the root account).

>= 15.0, < 15.43.1 LOW

A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some rows that INSERT policies do not forbid, a user could store such rows.

>= 11.0, < 11.21, >= 15.0, < 15.4, >= 14.0, < 14.9, >= 13.0, < 13.12, >= 12.0, < 12.167.5 HIGH

IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or ""). If an administrator has installed files of a vulnerable, trusted, non-bundled extension, an attacker with database-level CREATE privilege can execute arbitrary code as the bootstrap superuser.

>= 15.0, < 15.3, >= 14.0, < 14.8, >= 13.0, < 13.11, >= 12.0, < 12.15, >= 11.0, < 11.205.4 MEDIUM

Row security policies disregard user ID changes after inlining; PostgreSQL could permit incorrect policies to be applied in certain cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy.

>= 15.0, < 15.3, >= 14.0, < 14.8, >= 13.0, < 13.11, >= 12.0, < 12.15, >= 11.0, < 11.207.2 HIGH

schema_element defeats protective search_path changes; It was found that certain database calls in PostgreSQL could permit an authed attacker with elevated database-level privileges to execute arbitrary code.

>= 10.0, <= 10.22, >= 11.0, <= 11.7, >= 12.0, <= 12.12, >= 13.0, <= 13.8, >= 14.0, <= 14.58.8 HIGH

aiven-extras is a PostgreSQL extension. Versions prior to 1.1.9 contain a privilege escalation vulnerability, allowing elevation to superuser inside PostgreSQL databases that use the aiven-extras package. The vulnerability leverages missing schema qualifiers on privileged functions called by the aiven-extras extension. A low privileged user can create objects that collide with existing function names, which will then be executed instead. Exploiting this vulnerability could allow a low privileged user to acquire `superuser` privileges, which would allow full, unrestricted access to all data and database functions. And could lead to arbitrary code execution or data access on the underlying host as the `postgres` user. The issue has been patched as of version 1.1.9.

>= 15.0, < 15.2, >= 14.0, < 14.7, >= 13.0, < 13.10, >= 12.0, < 12.143.7 LOW

In PostgreSQL, a modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. In certain conditions a server can cause a libpq client to over-read and report an error message containing uninitialized bytes.

>= 14.0, < 14.3, >= 13.0, < 13.7, >= 12.0, < 12.11, >= 11.0, < 11.16, >= 10.0, < 10.218.8 HIGH

A flaw was found in PostgreSQL. There is an issue with incomplete efforts to operate safely when a privileged user is maintaining another user's objects. The Autovacuum, REINDEX, CREATE INDEX, REFRESH MATERIALIZED VIEW, CLUSTER, and pg_amcheck commands activated relevant protections too late or not at all during the process. This flaw allows an attacker with permission to create non-temporary objects in at least one schema to execute arbitrary SQL functions under a superuser identity.

>= 10.0, < 10.19, >= 11.0, < 11.14, >= 12.0, < 12.9, >= 13.0, < 13.5, = 14.0, >= 9.6.0, < 9.6.245.9 MEDIUM

Odyssey passes to client unencrypted bytes from man-in-the-middle When Odyssey storage is configured to use the PostgreSQL server using 'trust' authentication with a 'clientcert' requirement or to use 'cert' authentication, a man-in-the-middle attacker can inject false responses to the client's first few queries. Despite the use of SSL certificate verification and encryption, Odyssey will pass these results to client as if they originated from valid server. This is similar to CVE-2021-23222 for PostgreSQL.

>= 10.0, < 10.22, >= 11.0, < 11.17, >= 12.0, < 12.12, >= 13.0, < 13.8, >= 14.0, < 14.5, = 158 HIGH

A vulnerability was found in PostgreSQL. This attack requires permission to create non-temporary objects in at least one schema, the ability to lure or wait for an administrator to create or update an affected extension in that schema, and the ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or CREATE IF NOT EXISTS. Given all three prerequisites, this flaw allows an attacker to run arbitrary code as the victim role, which may be a superuser.

all versions8.1 HIGH6.5 MEDIUM

Gin-vue-admin is a backstage management system based on vue and gin, which separates the front and rear of the full stack. The problem occurs in the following code in server/service/system/sys_auto_code_pgsql.go, which means that PostgreSQL must be used as the database for this vulnerability to occur. Users must: Require JWT login) and be using PostgreSQL to be affected. This issue has been resolved in version 2.5.1. There are no known workarounds.

>= 10.0, < 10.19, >= 11.0, < 11.14, >= 12.0, < 12.9, >= 13.0, < 13.5, = 14.0, < 9.6.248.1 HIGH5.1 MEDIUM

When the server is configured to use trust authentication with a clientcert requirement or to use cert authentication, a man-in-the-middle attacker can inject arbitrary SQL queries when a connection is first established, despite the use of SSL certificate verification and encryption.

>= 9.6, < 9.6.24, >= 10.0, < 10.19, >= 11.0, < 11.14, >= 12.0, < 12.9, >= 13.0, < 13.5, = 14.05.9 MEDIUM4.3 MEDIUM

A man-in-the-middle attacker can inject false responses to the client's first few queries, despite the use of SSL certificate verification and encryption.

>= 13.0, < 13.4, >= 12.0, < 12.8, >= 11.0, < 11.136.5 MEDIUM4 MEDIUM

A flaw was found in postgresql. A purpose-crafted query can read arbitrary bytes of server memory. In the default configuration, any authenticated database user can complete this attack at will. The attack does not require the ability to create objects. If server settings include max_worker_processes=0, the known versions of this attack are infeasible. However, undiscovered variants of the attack may be independent of that setting.

>= 13.0, < 13.3, >= 12.0, < 12.7, >= 10.0, < 10.17, >= 11.0, < 11.12, >= 9.6.0, < 9.6.226.5 MEDIUM4 MEDIUM

A flaw was found in postgresql. Using an INSERT ... ON CONFLICT ... DO UPDATE command on a purpose-crafted table, an authenticated database user could read arbitrary bytes of server memory. The highest threat from this vulnerability is to data confidentiality.

>= 13.0, < 13.3, >= 12.0, < 12.7, >= 11.0, < 11.126.5 MEDIUM4 MEDIUM

A flaw was found in postgresql. Using an UPDATE ... RETURNING command on a purpose-crafted table, an authenticated database user could read arbitrary bytes of server memory. The highest threat from this vulnerability is to data confidentiality.

>= 13.0, < 13.3, >= 12.0, < 12.7, >= 10.0, < 10.17, >= 11.0, < 11.12, >= 9.6.0, < 9.6.228.8 HIGH6.5 MEDIUM

A flaw was found in postgresql in versions before 13.3, before 12.7, before 11.12, before 10.17 and before 9.6.22. While modifying certain SQL array values, missing bounds checks let authenticated database users write arbitrary bytes to a wide area of server memory. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

>= 13.0, < 13.2, >= 12.0, < 12.6, < 11.114.3 MEDIUM3.5 LOW

An information leak was discovered in postgresql in versions before 13.2, before 12.6 and before 11.11. A user having UPDATE permission but not SELECT permission to a particular column could craft queries which, under some circumstances, might disclose values from that column in error messages. An attacker could use this flaw to obtain information stored in a column they are allowed to write but not read.

< 9.4.22, >= 9.5.0, < 9.5.17, >= 9.6.0, < 9.6.13, >= 10.0, < 10.8, >= 11.0, < 11.37.8 HIGH4.1 MEDIUM

A vulnerability was found in postgresql versions 11.x prior to 11.3. The Windows installer for EnterpriseDB-supplied PostgreSQL does not lock down the ACL of the binary installation directory or the ACL of the data directory; it keeps the inherited ACL. In the default configuration, this allows a local attacker to read arbitrary data directory files, essentially bypassing database-imposed read access limitations. In plausible non-default configurations, an attacker having both an unprivileged Windows account and an unprivileged PostgreSQL account can cause the PostgreSQL service account to execute arbitrary code.

< 9.4.22, >= 9.5.0, < 9.5.17, >= 9.6.0, < 9.6.13, >= 10.0, < 10.8, >= 11.0, < 11.38.8 HIGH4.3 MEDIUM

A vulnerability was found in postgresql versions 11.x prior to 11.3. The Windows installer for BigSQL-supplied PostgreSQL does not lock down the ACL of the binary installation directory or the ACL of the data directory; it keeps the inherited ACL. In the default configuration, an attacker having both an unprivileged Windows account and an unprivileged PostgreSQL account can cause the PostgreSQL service account to execute arbitrary code. An attacker having only the unprivileged Windows account can read arbitrary data directory files, essentially bypassing database-imposed read access limitations. An attacker having only the unprivileged Windows account can also delete certain data directory files.

>= 13.0, < 13.24.3 MEDIUM4 MEDIUM

A flaw was found in PostgreSQL in versions before 13.2. This flaw allows a user with SELECT privilege on one column to craft a special query that returns all columns of the table. The highest threat from this vulnerability is to confidentiality.

>= 9.6.0, < 9.6.20, >= 10.0, < 10.15, >= 11.0, < 11.10, >= 12.0, < 12.5, >= 13.0, < 13.1, >= 9.5.0, < 9.5.247.5 HIGH7.6 HIGH

A flaw was found in the psql interactive terminal of PostgreSQL in versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If an interactive psql session uses \gset when querying a compromised server, the attacker can execute arbitrary code as the operating system account running psql. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

< 9.5.24, >= 9.6.0, < 9.6.20, >= 10.0, < 10.15, >= 11.0, < 11.10, >= 12.0, < 12.5, >= 13.0, < 13.18.1 HIGH6.8 MEDIUM

A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If a client application that creates additional database connections only reuses the basic connection parameters while dropping security-relevant parameters, an opportunity for a man-in-the-middle attack, or the ability to observe clear-text transmissions, could exist. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

< 9.5.24, >= 9.6.0, < 9.6.20, >= 10.0, < 10.15, >= 11.0, < 11.10, >= 12.0, < 12.5, >= 13.0, < 13.18.8 HIGH6.5 MEDIUM

A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. An attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL functions under the identity of a superuser. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

>= 9.6, < 9.6.18, >= 11.0, < 11.8, >= 10.0, < 10.13, >= 12.0, < 12.3, >= 9.5, < 9.5.227.3 HIGH4.4 MEDIUM

The Windows installer for PostgreSQL 9.5 - 12 invokes system-provided executables that do not have fully-qualified paths. Executables in the directory where the installer loads or the current working directory take precedence over the intended executables. An attacker having permission to add files into one of those directories can use this to execute arbitrary code with the installer's administrative rights.

>= 10.0, < 10.14, >= 11.0, < 11.9, >= 12.0, < 12.4, >= 9.5, < 9.5.23, >= 9.6, < 9.6.197.3 HIGH4.4 MEDIUM

It was found that some PostgreSQL extensions did not use search_path safely in their installation script. An attacker with sufficient privileges could use this flaw to trick an administrator into executing a specially crafted script, during the installation or update of such extension. This affects PostgreSQL versions before 12.4, before 11.9, before 10.14, before 9.6.19, and before 9.5.23.

>= 10.0, < 10.14, >= 11.0, < 11.9, >= 12.0, < 12.47.1 HIGH4.6 MEDIUM

It was found that PostgreSQL versions before 12.4, before 11.9 and before 10.14 did not properly sanitize the search_path during logical replication. An authenticated attacker could use this flaw in an attack similar to CVE-2018-1058, in order to execute arbitrary SQL command in the context of the user used for replication.

>= 12.0, < 12.2, >= 11.0, < 11.7, >= 10.0, < 10.12, >= 9.6, < 9.6.173.1 LOW3.5 LOW

A flaw was found in PostgreSQL's "ALTER ... DEPENDS ON EXTENSION", where sub-commands did not perform authorization checks. An authenticated attacker could use this flaw in certain configurations to perform drop objects such as function, triggers, et al., leading to database corruption. This issue affects PostgreSQL versions before 12.2, before 11.7, before 10.12 and before 9.6.17.

< 9.0.19, >= 9.1.0, < 9.1.15, >= 9.2.0, < 9.2.10, >= 9.3.0, < 9.3.6, >= 9.4.0, < 9.4.14.3 MEDIUM4 MEDIUM

PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.

< 9.0.19, >= 9.1.0, < 9.1.15, >= 9.2.0, < 9.2.10, >= 9.3.0, < 9.3.6, >= 9.4.0, < 9.4.19.8 CRITICAL7.5 HIGH

PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 does not properly handle errors while reading a protocol message, which allows remote attackers to conduct SQL injection attacks via crafted binary data in a parameter and causing an error, which triggers the loss of synchronization and part of the protocol message to be treated as a new message, as demonstrated by causing a timeout or query cancellation.

< 9.0.19, >= 9.1.0, < 9.1.15, >= 9.2.0, < 9.2.10, >= 9.3.0, < 9.3.6, >= 9.4.0, < 9.4.18.8 HIGH6.5 MEDIUM

Multiple buffer overflows in contrib/pgcrypto in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allow remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors.

< 9.0.19, >= 9.1.0, < 9.1.15, >= 9.2.0, < 9.2.10, >= 9.3.0, < 9.3.6, >= 9.4.0, < 9.4.18.8 HIGH6.5 MEDIUM

Stack-based buffer overflow in the *printf function implementations in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1, when running on a Windows system, allows remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via a floating point number with a large precision, as demonstrated by using the to_char function.

< 9.0.19, >= 9.1.0, < 9.1.15, >= 9.2.0, < 9.2.10, >= 9.3.0, < 9.3.6, >= 9.4.0, < 9.4.18.8 HIGH6.5 MEDIUM

The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a (1) large number of digits when processing a numeric formatting template, which triggers a buffer over-read, or (2) crafted timestamp formatting template, which triggers a buffer overflow.

>= 9.4, < 9.4.2, >= 9.3, < 9.3.7, >= 9.2, < 9.2.11, >= 9.1, < 9.1.16, < 9.0.207.5 HIGH5 MEDIUM

contrib/pgcrypto in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 uses different error responses when an incorrect key is used, which makes it easier for attackers to obtain the key via a brute force attack.

>= 9.4, < 9.4.2, >= 9.3, < 9.3.7, >= 9.2, < 9.2.11, >= 9.1, < 9.1.16, < 9.0.209.8 CRITICAL7.5 HIGH

The snprintf implementation in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 does not properly handle system-call errors, which allows attackers to obtain sensitive information or have other unspecified impact via unknown vectors, as demonstrated by an out-of-memory error.

< 9.4.24, >= 9.5.0, < 9.5.19, >= 9.6.0, < 9.6.15, >= 10.0, < 10.10, >= 11.0, < 11.59.8 CRITICAL7.5 HIGH

Postgresql Windows installer before versions 11.5, 10.10, 9.6.15, 9.5.19, 9.4.24 is vulnerable via bundled OpenSSL executing code from unprotected directory.

< 9.4.24, >= 9.5.0, < 9.5.19, >= 9.6.0, < 9.6.15, >= 10.0, < 10.10, >= 11.0, < 11.57 HIGH1.9 LOW

Postgresql Windows installer before versions 11.5, 10.10, 9.6.15, 9.5.19, 9.4.24 is vulnerable via superuser writing password to unprotected temporary file.

>= 11.0, < 11.52.2 LOW3.5 LOW

Postgresql, versions 11.x before 11.5, is vulnerable to a memory disclosure in cross-type comparison for hashed subplan.

>= 9.5.0, < 9.5.19, >= 9.6.0, < 9.6.15, >= 10.0, < 10.10, >= 11.0, < 11.5, >= 9.4.0, < 9.4.248.8 HIGH6.5 MEDIUM

A flaw was discovered in postgresql versions 9.4.x before 9.4.24, 9.5.x before 9.5.19, 9.6.x before 9.6.15, 10.x before 10.10 and 11.x before 11.5 where arbitrary SQL statements can be executed given a suitable SECURITY DEFINER function. An attacker, with EXECUTE permission on the function, can execute arbitrary SQL as the owner of the function.

>= 11.0, < 11.3, >= 9.5.0, < 9.5.17, >= 9.6.0, < 9.6.13, >= 10.0, < 10.84.3 MEDIUM4 MEDIUM

A vulnerability was found in PostgreSQL versions 11.x up to excluding 11.3, 10.x up to excluding 10.8, 9.6.x up to, excluding 9.6.13, 9.5.x up to, excluding 9.5.17. PostgreSQL maintains column statistics for tables. Certain statistics, such as histograms and lists of most common values, contain values taken from the column. PostgreSQL does not evaluate row security policies before consulting those statistics during query planning; an attacker can exploit this to read the most common values of certain columns. Affected columns are those for which the attacker has SELECT privilege and for which, in an ordinary query, row-level security prunes the set of rows visible to the attacker.

>= 11.0, < 11.36.5 MEDIUM4 MEDIUM

A vulnerability was found in postgresql versions 11.x prior to 11.3. Using a purpose-crafted insert to a partitioned table, an attacker can read arbitrary bytes of server memory. In the default configuration, any user can create a partitioned table suitable for this attack. (Exploit prerequisites are the same as for CVE-2018-1052).

>= 10.0, < 10.9, >= 11.0, < 11.48.8 HIGH9 HIGH

PostgreSQL versions 10.x before 10.9 and versions 11.x before 11.4 are vulnerable to a stack-based buffer overflow. Any authenticated user can overflow a stack-based buffer by changing the user's own password to a purpose-crafted value. This often suffices to execute arbitrary code as the PostgreSQL operating system account.

>= 9.3, <= 11.29 HIGH

In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_server_program' group to execute arbitrary code in the context of the database's operating system user. This functionality is enabled by default and can be abused to run arbitrary operating system commands on Windows, Linux, and macOS. NOTE: Third parties claim/state this is not an issue because PostgreSQL functionality for ‘COPY TO/FROM PROGRAM’ is acting as intended. References state that in PostgreSQL, a superuser can execute commands as the server user without using the ‘COPY FROM PROGRAM’.

>= 10.0, < 10.6, >= 11.0, < 11.1, = *9.8 CRITICAL7.5 HIGH

postgresql before versions 11.1, 10.6 is vulnerable to a to SQL injection in pg_upgrade and pg_dump via CREATE TRIGGER ... REFERENCING. Using a purpose-crafted trigger definition, an attacker can cause arbitrary SQL statements to run, with superuser privileges.

>= 9.4.0, < 9.4.10, = *, >= 9.5.0, < 9.5.5, < 9.1.24, >= 9.2, < 9.2.19, >= 9.3, < 9.3.158.1 HIGH9.3 HIGH

The interactive installer in PostgreSQL before 9.3.15, 9.4.x before 9.4.10, and 9.5.x before 9.5.5 might allow remote attackers to execute arbitrary code by leveraging use of HTTP to download software.

= *, >= 9.5.0, < 9.5.14, >= 9.6.0, < 9.6.10, >= 10.0, < 10.58.1 HIGH5.5 MEDIUM

It was discovered that PostgreSQL versions before 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 failed to properly check authorization on certain statements involved with "INSERT ... ON CONFLICT DO UPDATE". An attacker with "CREATE TABLE" privileges could exploit this to read arbitrary bytes server memory. If the attacker also had certain "INSERT" and limited "UPDATE" privileges to a particular table, they could exploit this to update other columns in the same table.

>= 9.4.0, < 9.4.19, >= 9.3.0, < 9.3.24, >= 9.5.0, < 9.5.14, >= 9.6.0, < 9.6.10, >= 10.0, < 10.56 MEDIUM

A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq was used with "host" or "hostaddr" connection parameters from untrusted input, attackers could bypass client-side connection security features, obtain access to higher privileged connections or potentially cause other impact through SQL injection, by causing the PQescape() functions to malfunction. Postgresql versions before 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 are affected.

>= 10.0, < 10.4, < 9.6.99.1 CRITICAL6.4 MEDIUM

postgresql before versions 10.4, 9.6.9 is vulnerable in the adminpack extension, the pg_catalog.pg_logfile_rotate() function doesn't follow the same ACLs than pg_rorate_logfile. If the adminpack is added to a database, an attacker able to connect to it could exploit this to force log rotation.

= *, >= 9.3, < 9.3.22, >= 9.4, < 9.4.17, >= 9.5, < 9.5.12, >= 9.6, < 9.6.8, >= 10.0, < 10.38.8 HIGH6.5 MEDIUM

A flaw was found in the way Postgresql allowed a user to modify the behavior of a query for other users. An attacker with a user account could use this flaw to execute code with the permissions of superuser in the database. Versions 9.3 through 10 are affected.

< 9.4-0.5.3.16.9 MEDIUM

A race condition in the postgresql init script could be used by attackers able to access the postgresql account to escalate their privileges to root.

= 10.1, = 10.0, >= 9.3.0, < 9.3.21, >= 9.4.0, < 9.4.16, >= 9.5.0, < 9.5.11, >= 9.6.0, < 9.6.73.3 LOW

In postgresql 9.3.x before 9.3.21, 9.4.x before 9.4.16, 9.5.x before 9.5.11, 9.6.x before 9.6.7 and 10.x before 10.2, pg_upgrade creates file in current working directory containing the output of `pg_dumpall -g` under umask which was in effect when the user invoked pg_upgrade, and not under 0077 which is normally used for other temporary files. This can allow an authenticated attacker to read or modify the one file, which may contain encrypted or unencrypted database passwords. The attack is infeasible if a directory mode blocks the attacker searching the current working directory or if the prevailing umask blocks the attacker opening the file.

= 10.1, = 10.04 MEDIUM

Memory disclosure vulnerability in table partitioning was found in postgresql 10.x before 10.2, allowing an authenticated attacker to read arbitrary bytes of server memory via purpose-crafted insert to a partitioned table.

= 9.3.8, = 9.2.1, = 9.5.1, = 9.3.15, = 9.2.18, = 9.4.5, = 9.3, = 9.2.13, = 9.5.7, = 9.6.3, = 9.6.2, = 9.2.6, = 9.2.3, = 9.5.5, = 9.4.4, = 9.4.2, = 9.3.7, = 9.3.6, = 9.3.5, = 9.2.15, = 9.4.8, = 9.2.11, = 9.2.9, = 9.2, = 9.3.11, = 9.3.2, = 9.2.12, = 9.4.12, = 9.4.11, = 9.4.10, = 9.3.17, = 9.3.16, = 9.3.14, = 9.2.21, = 9.2.7, = 9.2.5, = 9.5.6, = 9.4.3, = 9.3.9, = 9.2.16, = 9.2.14, = 9.6.1, = 9.5.2, = 9.5, = 9.4.6, = 9.4.1, = 9.3.12, = 9.3.10, = 9.3.3, = 9.3.1, = 9.2.20, = 9.2.2, = 9.5.3, = 9.4.9, = 9.4.7, = 9.4, = 9.3.13, = 9.3.4, = 9.2.19, = 9.2.17, = 9.2.10, = 9.2.8, = 9.2.4, = 9.6.5, = 9.6.4, = 9.4.14, = 9.4.13, = 9.2.23, = 9.2.22, = 9.5.4, = 10, = 9.5.9, = 9.3.19, = 9.6, = 9.5.8, = 9.3.187.2 HIGH

PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x before 9.4.15, 9.3.x before 9.3.20, and 9.2.x before 9.2.24 runs under a non-root operating system account, and database superusers have effective ability to run arbitrary code under that system account. PostgreSQL provides a script for starting the database server during system boot. Packages of PostgreSQL for many operating systems provide their own, packager-authored startup implementations. Several implementations use a log file name that the database superuser can replace with a symbolic link. As root, they open(), chmod() and/or chown() this log file name. This often suffices for the database superuser to escalate to root privileges when root starts the server.

= 9.5.1, = 9.5.7, = 9.5.5, = 9.6.2, = 9.6.3, = 9.5.6, = 9.5.3, = 9.5.2, = 9.5, = 9.5.4, = 9.6.1, = 9.5.8, = 9.6.5, = 10.0, = 9.5.9, = 9.6, = 9.6.44 MEDIUM

INSERT ... ON CONFLICT DO UPDATE commands in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, and 9.5.x before 9.5.10 disclose table contents that the invoker lacks privilege to read. These exploits affect only tables where the attacker lacks full read access but has both INSERT and UPDATE privileges. Exploits bypass row level security policies and lack of SELECT privilege.

= 9.3.8, = 9.5.1, = 9.3.15, = 9.4.5, = 9.3, = 9.5.7, = 9.3.11, = 9.3.5, = 9.5.5, = 9.6.3, = 9.4.12, = 9.4.4, = 9.4.3, = 9.4.2, = 9.3.7, = 9.3.6, = 9.6.2, = 9.5.3, = 9.4.10, = 9.4.1, = 9.3.13, = 9.4.8, = 9.3.10, = 9.3.3, = 9.3.2, = 9.5.6, = 9.4.6, = 9.6.4, = 9.5.4, = 9.4.11, = 9.3.14, = 9.6.1, = 9.6, = 9.5.2, = 9.4.9, = 9.4, = 9.3.12, = 9.3.4, = 9.5.9, = 9.5.8, = 9.5, = 9.4.7, = 9.3.19, = 9.3.18, = 10, = 9.6.5, = 9.4.14, = 9.4.13, = 9.3.17, = 9.3.16, = 9.3.9, = 9.3.15.5 MEDIUM

Invalid json_populate_recordset or jsonb_populate_recordset function calls in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x before 9.4.15, and 9.3.x before 9.3.20 can crash the server or disclose a few bytes of server memory.

= -, all versions5.5 MEDIUM3.6 LOW

The Debian pg_ctlcluster, pg_createcluster, and pg_upgradecluster scripts, as distributed in the Debian postgresql-common package before 181+deb9u1 for PostgreSQL (and other packages related to Debian and Ubuntu), handled symbolic links insecurely, which could result in local denial of service by overwriting arbitrary files.

= 9.4.5, = 9.4.2, = 9.4.8, = 9.4.4, = 9.4.3, = 9.4.12, = 9.4.1, = 9.4.6, = 9.4.10, = 9.4.11, = 9.4.7, = 9.4, = 9.4.9, = 9.5.7, = 9.5.5, = 9.5.6, = 9.5.3, = 9.5.1., = 9.5.2, = 9.5, = 9.5.4, = 9.6.2, = 9.6.3, = 9.6.1, = 9.6, >= 9.6, < 9.6.4, >= 9.5, < 9.5.8, >= 9.4, < 9.4.137.5 HIGH4 MEDIUM

PostgreSQL versions before 9.4.13, 9.5.8 and 9.6.4 are vulnerable to authorization flaw allowing remote authenticated attackers with no privileges on a large object to overwrite the entire contents of the object, resulting in a denial of service.

= 9.2.1, = 9.2.18, = 9.2.13, = 9.2.9, = 9.2.12, = 9.2.15, = 9.2.6, = 9.2.11, = 9.2.3, = 9.2.8, = 9.2.14, = 9.2.16, = 9.2.17, = 9.2.4, = 9.2.19, = 9.2.21, = 9.2, = 9.2.2, = 9.2.10, = 9.2.5, = 9.2.7, = 9.2.20, = 9.3.8, = 9.3.15, = 9.3, = 9.3.11, = 9.3.5, = 9.3.2, = 9.3.7, = 9.3.6, = 9.3.10, = 9.3.12, = 9.3.13, = 9.3.14, = 9.3.4, = 9.3.1, = 9.3.3, = 9.3.16, = 9.3.9, = 9.3.17, = 9.4.5, = 9.4.2, = 9.4.8, = 9.4.4, = 9.4.3, = 9.4.12, = 9.4.1, = 9.4.6, = 9.4.10, = 9.4.9, = 9.4.11, = 9.4, = 9.4.7, = 9.5.1, = 9.5.7, = 9.5.5, = 9.5.6, = 9.5.3, = 9.5.2, = 9.5, = 9.5.4, = 9.6.2, = 9.6.3, = 9.6.1, = 9.67.5 HIGH

PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to incorrect authentication flaw allowing remote attackers to gain access to database accounts with an empty password.

= 9.2.1, = 9.2.18, = 9.2.13, = 9.2.9, = 9.2.12, = 9.2.15, = 9.2.6, = 9.2.11, = 9.2.3, = 9.2, = 9.2.7, = 9.2.14, = 9.2.10, = 9.2.4, = 9.2.17, = 9.2.19, = 9.2.8, = 9.2.2, = 9.2.16, = 9.2.5, = 9.2.20, = 9.2.21, = 9.3.8, = 9.3.15, = 9.3, = 9.3.11, = 9.3.5, = 9.3.2, = 9.3.7, = 9.3.6, = 9.3.10, = 9.3.1, = 9.3.14, = 9.3.9, = 9.3.12, = 9.3.13, = 9.3.4, = 9.3.3, = 9.3.16, = 9.3.17, = 9.4.5, = 9.4.2, = 9.4.8, = 9.4.4, = 9.4.3, = 9.4.12, = 9.4.1, = 9.4.6, = 9.4.10, = 9.4.9, = 9.4, = 9.4.11, = 9.4.7, = 9.5.7, = 9.5.5, = 9.5.6, = 9.5.3, = 9.5.1., = 9.5.2, = 9.5, = 9.5.4, = 9.6.2, = 9.6.3, = 9.6.1, = 9.64 MEDIUM

PostgreSQL versions before 9.2.22, 9.3.18, 9.4.13, 9.5.8 and 9.6.4 are vulnerable to authorization flaw allowing remote authenticated attackers to retrieve passwords from the user mappings defined by the foreign server owners without actually having the privileges to do so.

<= 9.05 MEDIUM

PostgreSQL PL/Java after 9.0 does not honor access controls on large objects.

= 9.3.8, = 9.5.1, = 9.3.15, = 9.4.5, = 9.3, = 9.3.11, = 9.3.5, = 9.5.5, = 9.3.2, = 9.5.6, = 9.4.10, = 9.3.3, <= 9.2.20, = 9.3.14, = 9.3.13, = 9.4.8, = 9.4.2, = 9.4.3, = 9.4.4, = 9.5.3, = 9.3.10, = 9.4.6, = 9.6.2, = 9.3.6, = 9.3.7, = 9.4, = 9.4.1, = 9.4.9, = 9.6.1, = 9.4.11, = 9.3.4, = 9.3.12, = 9.4.7, = 9.5.4, = 9.3.1, = 9.3.9, = 9.5.2, = 9.6, = 9.3.16, = 9.55 MEDIUM

It was found that some selectivity estimation functions in PostgreSQL before 9.2.21, 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3 did not check user privileges before providing information from pg_statistic, possibly leaking information. An unprivileged attacker could use this flaw to steal some information from tables they are otherwise not allowed to access.

= 9.3.8, = 9.5.1, = 9.3.15, = 9.4.5, = 9.3, = 9.3.11, = 9.3.5, = 9.5.5, = 9.3.2, = 9.6.2, = 9.3.14, = 9.5.6, = 9.3.3, = 9.3.10, = 9.4.4, = 9.3.6, = 9.3.7, = 9.4, = 9.4.1, = 9.4.8, = 9.4.10, = 9.3.13, = 9.4.6, = 9.4.7, = 9.4.2, = 9.4.3, = 9.5.3, = 9.6, = 9.4.9, = 9.5, = 9.6.1, = 9.4.11, = 9.3.4, = 9.3.12, = 9.5.4, = 9.3.16, = 9.3.1, = 9.3.9, = 9.5.24.3 MEDIUM

In PostgreSQL 9.3.x before 9.3.17, 9.4.x before 9.4.12, 9.5.x before 9.5.7, and 9.6.x before 9.6.3, it was found that the PGREQUIRESSL environment variable was no longer enforcing a SSL/TLS connection to a PostgreSQL server. An active Man-in-the-Middle attacker could use this flaw to strip the SSL/TLS protection from a connection between a client and a server.

= 8.4.8, = 9.1.22, = 9.3.8, = 9.0.11, = 9.2.1, = 9.1.4, = 9.5.1, = 8.4.4, = 8.4.1, = 9.0.22, = 9.2.12, = 9.0.19, = 9.1.24, = 9.5.7, = 9.3.15, = 9.0.6, = 9.1.12, = 9.1.13, = 9.2.13, = 9.0.13, = 9.0.16, = 9.4.5, = 9.2.9, = 9.2.18, = 9.3, = 9.0.7, = 8.4.18, = 9.0.23, = 9.2.11, = 9.5.5, = 9.2, = 9.0.9, = 9.0.10, = 8.4.3, = 8.4.10, = 8.4.11, = 8.4.20, = 9.1.8, = 9.2.6, = 9.4.4, = 9.0.18, = 9.1.15, = 9.1.23, = 9.2.15, = 9.2.3, = 9.1, = 8.4.6, = 9.3.5, = 9.4.8, = 9.1.14, = 9.1.21, = 9.0.4, = 9.1.9, = 9.3.2, = 9.3.11, = 9.0.20, = 9.1.18, = 8.4.9, = 8.4.17, = 9.1.5, = 9.3.6, = 9.3.7, = 9.4.2, = 8.4.21, = 9.1.19, = 9.1.20, = 9.2.19, = 9.2.20, = 9.5.6, = 9.3.1, = 9.0.1, = 9.0.2, = 8.4.2, = 8.4.19, = 9.1.7, = 9.2.7, = 9.3.9, = 9.3.10, = 9.4.3, = 9.5.2, = 9.5.3, = 9.1.16, = 9.2.8, = 9.2.16, = 9.4.12, = 9.3.14, = 9.0.5, = 9.0.14, = 9.0.15, = 8.4.7, = 8.4.14, = 8.4.15, = 9.1.3, = 9.1.11, = 9.3.4, = 9.3.13, = 9.4, = 9.4.7, = 8.4.22, = 9.0.17, = 9.2.14, = 9.2.21, = 9.3.17, = 9.4.9, = 9.4.10, = 9.4.11, = 9.2.2, = 9.0.3, = 9.0.12, = 8.4.5, = 8.4.12, = 8.4.13, = 9.1.2, = 9.1.10, = 9.3.3, = 9.3.12, = 9.4.6, = 9.0.21, = 9.1.17, = 9.2.10, = 9.2.17, = 9.6, = 9.5.4, = 9.3.16, = 9.1.1, = 9.0, = 9.0.8, = 8.4, = 8.4.16, = 9.1.6, = 9.2.4, = 9.2.5, = 9.4.1, = 9.55 MEDIUM

PostgreSQL versions 8.4 - 9.6 are vulnerable to information leak in pg_user_mappings view which discloses foreign server passwords to any user having USAGE privilege on the associated foreign server.

= 9.3.8, = 9.2.1, = 9.5.1, = 9.4.5, = 9.3, = 9.2.13, = 9.2.9, = 9.2.12, = 9.3.11, = 9.4.2, = 9.3.7, = 9.3.3, = 9.2.15, = 9.2, = 9.4.8, = 9.3.6, = 9.3.5, = 9.2.11, = 9.2.3, = 9.2.4, = 9.5.3, = 9.4.4, = 9.4.3, = 9.3.10, = 9.3.2, = 9.2.10, = 9.2.6, = 9.5.2, = 9.4.1, = 9.2.16, = 9.2.8, = 9.2.7, = 9.2.17, = 9.5, = 9.4.7, = 9.4, = 9.3.13, = 9.2.14, = 9.2.2, <= 9.1.22, = 9.4.6, = 9.3.12, = 9.3.4, = 9.3.9, = 9.3.1, = 9.2.54.6 MEDIUM

PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 might allow remote authenticated users with the CREATEDB or CREATEROLE role to gain superuser privileges via a (1) " (double quote), (2) \ (backslash), (3) carriage return, or (4) newline character in a (a) database or (b) role name that is mishandled during an administrative operation.

= 9.3.8, = 9.2.1, = 9.5.1, = 9.4.5, = 9.3, = 9.2.13, = 9.2.9, = 9.2.12, = 9.3.11, = 9.4.8, = 9.3.7, = 9.3.6, = 9.3.5, = 9.2.3, = 9.4.4, = 9.3.10, = 9.3.2, = 9.2.11, = 9.2.10, = 9.2.4, = 9.5.3, = 9.4.3, = 9.4.2, = 9.3.3, = 9.2.6, = 9.2.15, = 9.2, = 9.5, = 9.4.1, = 9.4, = 9.4.7, = 9.4.6, = 9.3.13, = 9.3.12, = 9.3.4, = 9.2.2, = 9.3.1, = 9.2.5, = 9.5.2, = 9.3.9, = 9.2.16, = 9.2.8, = 9.2.7, = 9.2.14, = 9.2.17, <= 9.1.226.5 MEDIUM

PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 allow remote authenticated users to cause a denial of service (NULL pointer dereference and server crash), obtain sensitive memory information, or possibly execute arbitrary code via (1) a CASE expression within the test value subexpression of another CASE or (2) inlining of an SQL function that implements the equality operator used for a CASE expression involving values of different types.

= 9.5.1, = 9.58.5 HIGH

The (1) brin_page_type and (2) brin_metapage_info functions in the pageinspect extension in PostgreSQL before 9.5.x before 9.5.2 allows attackers to bypass intended access restrictions and consequently obtain sensitive server memory information or cause a denial of service (server crash) via a crafted bytea value in a BRIN index page.

= 9.5.1, = 9.55 MEDIUM

PostgreSQL before 9.5.x before 9.5.2 does not properly maintain row-security status in cached plans, which might allow attackers to bypass intended access restrictions by leveraging a session that performs queries as more than one role.

= 9.2.1, = 9.4.5, = 9.2.13, = 9.2.9, = 9.2.12, = 9.2.6, = 9.2.11, = 9.2.3, = 9.4.2, = 9.4.4, = 9.4.3, = 9.2.10, = 9.2.2, = 9.4, = 9.2.14, = 9.2.5, = 9.5, = 9.2.4, = 9.4.1, = 9.2.8, = 9.2.7, = 9.2, <= 9.1.195 MEDIUM

PostgreSQL before 9.1.20, 9.2.x before 9.2.15, 9.3.x before 9.3.11, 9.4.x before 9.4.6, and 9.5.x before 9.5.1 allows remote attackers to cause a denial of service (infinite loop or buffer overflow and crash) via a large Unicode character range in a regular expression.

= 9.2.1, = 9.4.5, = 9.2.13, = 9.2.9, = 9.2.12, = 9.2.6, = 9.2.11, = 9.2.3, = 9.4.2, = 9.5, = 9.2.5, = 9.2.4, = 9.4, = 9.2.14, = 9.2.7, = 9.4.4, = 9.4.3, = 9.2.10, = 9.2.2, = 9.4.1, = 9.2.8, = 9.2, = *, >= 9.2, < 9.2.15, >= 9.4, < 9.4.6, >= 9.3, < 9.3.11, >= 9.1.0, < 9.1.208.8 HIGH9 HIGH

PostgreSQL before 9.1.20, 9.2.x before 9.2.15, 9.3.x before 9.3.11, 9.4.x before 9.4.6, and 9.5.x before 9.5.1 does not properly restrict access to unspecified custom configuration settings (GUCS) for PL/Java, which allows attackers to gain privileges via unspecified vectors.

= 9.3.8, = 9.2.1, = 9.1.4, = 9.1.13, = 9.3, = *, = 9.1.12, = 9.2.13, = 9.2.9, = 9.1.14, = 9.1.15, = 9.1.5, = 9.2.12, = 9.3.6, = 9.3.7, = 9.2.11, = 9.2.6, = 9.3.5, = 9.4.4, = 9.1.18, = 9.3.2, = 9.4.2, = 9.1, = 9.1.8, = 9.1.9, = 9.2.3, = 9.4.0, = 9.1.6, = 9.2.8, = 9.1.3, = 9.2.10, = 9.2.7, = 9.3.4, = 9.4.3, = 9.1.10, = 9.1.11, = 9.1.2, = 9.2, = 9.2.4, = 9.2.5, = 9.3.3, = 9.4.1, = 9.1.1, = 9.1.16, = 9.1.17, = 9.1.7, = 9.2.2, = 9.3.1, = 9.3.9, >= 9.4.0, < 9.4.5, >= 9.3.0, < 9.3.106.4 MEDIUM

Multiple stack-based buffer overflows in json parsing in PostgreSQL before 9.3.x before 9.3.10 and 9.4.x before 9.4.5 allow attackers to cause a denial of service (server crash) via unspecified vectors, which are not properly handled in (1) json or (2) jsonb values.

= 9.3.8, = 9.2.1, = 9.1.4, = 9.1.13, = 9.3, <= 9.0.22, = 9.1.12, = 9.2.13, = 9.2.9, = 9.1.14, = 9.1.5, = 9.2.11, = 9.3.5, = 9.3.6, = 9.4.4, = 9.2.6, = 9.4.2, = 9.1, = 9.1.18, = 9.1.8, = 9.1.9, = 9.2.3, = 9.3.2, = 9.4.0, = 9.1.15, = 9.2.12, = 9.3.7, = 9.1.10, = 9.1.11, = 9.1.2, = 9.1.3, = 9.2, = 9.2.10, = 9.2.7, = 9.2.8, = 9.4.3, = 9.2.5, = 9.3.3, = 9.3.4, = 9.4.1, = 9.1.1, = 9.1.17, = 9.2.2, = 9.2.4, = 9.3.1, = 9.3.9, = 9.1.16, = 9.1.6, = 9.1.76.4 MEDIUM

The crypt function in contrib/pgcrypto in PostgreSQL before 9.0.23, 9.1.x before 9.1.19, 9.2.x before 9.2.14, 9.3.x before 9.3.10, and 9.4.x before 9.4.5 allows attackers to cause a denial of service (server crash) or read arbitrary server memory via a "too-short" salt.

= 9.2.1, = 9.1.4, = 9.1.13, = 9.3, = 9.1.12, = 9.2.9, = 9.1.14, = 9.3.5, = 9.1.15, = 9.1.2, = 9.1.3, = 9.2.3, = 9.2.10, = 9.4.1, = 9.1, = 9.1.8, = 9.1.9, = 9.2, = 9.3.6, = 9.4.0, = 9.1.5, = 9.2.4, = 9.3.2, = 9.3.3, = 9.1.6, = 9.1.7, = 9.2.6, = 9.1.1, = 9.1.10, = 9.1.11, = 9.2.2, = 9.3.1, <= 9.0.19, = 9.2.8, = 9.2.5, = 9.2.7, = 9.3.44.3 MEDIUM

Double free vulnerability in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 allows remote attackers to cause a denial of service (crash) by closing an SSL session at a time when the authentication timeout will expire during the session shutdown sequence.

= 9.0.11, = 9.2.1, = 9.1.4, = 9.0.13, = 9.3, = 9.0.7, = 9.0.6, = 9.3.2, = 9.1, = 9.1.3, = 9.1.2, = 9.0.4, = 9.0.3, = 9.1.9, = 9.2.3, = 9.1.5, = 9.0.1, = 9.0, = 9.2.4, = 9.2, = 9.1.8, = 9.0.9, = 9.0.14, = 9.3.1, = 9.1.7, = 9.1.6, = 9.0.10, = 9.1.10, = 9.1.11, = 9.2.2, = 9.1.1, = 9.0.15, = 9.0.5, = 9.2.5, = 9.0.2, = 9.0.12, = 9.0.86.5 MEDIUM

Multiple integer overflows in contrib/hstore/hstore_io.c in PostgreSQL 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to have unspecified impact via vectors related to the (1) hstore_recv, (2) hstore_from_arrays, and (3) hstore_from_array functions in contrib/hstore/hstore_io.c; and the (4) hstoreArrayToPairs function in contrib/hstore/hstore_op.c, which triggers a buffer overflow. NOTE: this issue was SPLIT from CVE-2014-0064 because it has a different set of affected versions.

= 8.4.8, = 9.0.11, = 9.2.1, = 9.1.4, = 8.4.4, = 8.4.1, = 9.0.13, = 9.3, = 8.4.18, = 9.0.6, = 8.4.9, = 9.3.2, = 9.1.9, = 9.1.8, = 9.0.9, = 8.4.6, = 9.2.6, <= 8.4.19, = 9.1, = 9.0.4, = 9.1.5, = 9.0.7, = 9.0.10, = 8.4.3, = 8.4.11, = 8.4.10, = 9.2.3, = 9.2.2, = 9.1.2, = 9.1.3, = 9.0.5, = 9.0, = 8.4.2, = 8.4.16, = 9.1.10, = 9.1.7, = 9.1.1, = 9.0.12, = 9.0.2, = 8.4.5, = 8.4.13, = 8.4.12, = 9.2.5, = 9.2.4, = 9.2, = 9.0.3, = 8.4.7, = 8.4.15, = 8.4.14, = 9.3.1, = 9.0.15, = 9.0.14, = 9.1.6, = 9.0.8, = 9.0.1, = 9.1.11, = 8.4.176.5 MEDIUM

Multiple buffer overflows in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to have unspecified impact and attack vectors, a different vulnerability than CVE-2014-0063.

= 8.4.8, = 9.0.11, = 9.2.1, = 9.1.4, = 8.4.4, = 8.4.1, = 9.0.13, = 9.3, = 8.4.18, = 9.1, = 9.2.6, = 9.0.4, = 8.4.9, = 9.3.2, = 9.1.9, = 9.1.8, = 9.0.9, = 8.4.6, = 8.4.11, <= 8.4.19, = 9.1.5, = 9.0.7, = 9.0.6, = 9.0.10, = 8.4.3, = 8.4.10, = 9.2.3, = 9.2, = 9.1.1, = 9.0.3, = 9.0.12, = 8.4.7, = 8.4.14, = 8.4.13, = 9.0.15, = 9.0.14, = 9.2.2, = 9.1.2, = 9.1.3, = 9.0.5, = 9.0, = 8.4.2, = 8.4.16, = 8.4.15, = 9.3.1, = 9.1.10, = 9.1.7, = 9.0.8, = 9.0.2, = 8.4.5, = 8.4.12, = 9.2.5, = 9.2.4, = 9.1.6, = 9.0.1, = 9.1.11, = 8.4.176.5 MEDIUM

The validator functions for the procedural languages (PLs) in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to gain privileges via a function that is (1) defined in another language or (2) not allowed to be directly called by the user due to permissions.

= 8.4.8, = 9.0.11, = 9.2.1, = 9.1.4, = 8.4.4, = 8.4.1, = 9.0.13, = 9.3, = 8.4.18, = 9.1.8, = 9.0.9, = 8.4.6, = 9.2.6, <= 8.4.19, = 9.1, = 9.0.4, = 8.4.9, = 9.1.9, = 9.0.7, = 8.4.3, = 8.4.11, = 8.4.10, = 9.2.3, = 9.1.5, = 9.0.6, = 9.0.10, = 9.3.2, = 9.2, = 9.1.1, = 9.0.12, = 9.0.2, = 8.4.7, = 8.4.13, = 8.4.12, = 9.2.5, = 9.0.14, = 9.2.2, = 9.0.3, = 8.4.15, = 8.4.14, = 9.3.1, = 9.0.15, = 9.1.7, = 9.1.6, = 9.0.8, = 9.0.1, = 8.4.5, = 9.2.4, = 8.4.17, = 9.1.2, = 9.1.3, = 9.0.5, = 9.0, = 8.4.2, = 8.4.16, = 9.1.11, = 9.1.104.9 MEDIUM

Race condition in the (1) CREATE INDEX and (2) unspecified ALTER TABLE commands in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allows remote authenticated users to create an unauthorized index or read portions of unauthorized tables by creating or deleting a table with the same name during the timing window.

= 8.4.8, = 9.0.11, = 9.2.1, = 9.1.4, = 8.4.4, = 8.4.1, = 9.0.13, = 9.3, = 8.4.18, = 9.1, = 9.0.4, = 9.0.6, = 8.4.9, = 9.3.2, = 9.1.9, = 9.1.8, = 9.0.9, = 8.4.6, = 9.2.6, <= 8.4.19, = 9.1.5, = 9.0.7, = 9.0.10, = 8.4.3, = 8.4.11, = 8.4.10, = 9.2.3, = 9.2, = 9.0.3, = 8.4.7, = 8.4.15, = 8.4.14, = 9.3.1, = 9.0.15, = 9.0.14, = 9.2.2, = 9.1.2, = 9.1.3, = 9.0.5, = 9.0, = 8.4.2, = 8.4.16, = 9.1.10, = 9.1.7, = 9.1.1, = 9.0.12, = 9.0.2, = 8.4.5, = 8.4.13, = 8.4.12, = 9.2.5, = 9.2.4, = 9.1.6, = 9.0.8, = 9.0.1, = 9.1.11, = 8.4.176.5 MEDIUM

Multiple stack-based buffer overflows in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via vectors related to an incorrect MAXDATELEN constant and datetime values involving (1) intervals, (2) timestamps, or (3) timezones, a different vulnerability than CVE-2014-0065.

= 8.4.8, = 9.0.11, = 9.2.1, = 9.1.4, = 8.4.4, = 8.4.1, = 9.0.13, = 9.3, = 8.4.18, = 9.1.8, = 9.0.9, = 8.4.6, = 9.1, = 9.0.4, = 9.1.5, = 9.0.7, = 9.0.10, = 8.4.3, = 8.4.11, = 8.4.10, = 9.2.3, <= 8.4.19, = 9.0.6, = 8.4.9, = 9.3.2, = 9.1.9, = 9.2.6, = 9.1.7, = 9.1.1, = 9.0.2, = 8.4.5, = 9.2, = 9.0.3, = 9.0.12, = 8.4.7, = 8.4.15, = 8.4.14, = 9.1.6, = 9.0.8, = 9.0.1, = 9.1.11, = 8.4.17, = 9.2.2, = 9.1.2, = 8.4.13, = 8.4.12, = 9.2.5, = 9.2.4, = 9.1.3, = 9.0.5, = 9.0, = 8.4.2, = 8.4.16, = 9.1.10, = 9.3.1, = 9.0.15, = 9.0.146.5 MEDIUM

Multiple integer overflows in the path_in and other unspecified functions in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to have unspecified impact and attack vectors, which trigger a buffer overflow. NOTE: this identifier has been SPLIT due to different affected versions; use CVE-2014-2669 for the hstore vector.

= 8.4.8, = 9.0.11, = 9.2.1, = 9.1.4, = 8.4.4, = 8.4.1, = 9.0.13, = 9.3, = 8.4.18, = 9.1.5, = 9.0.6, = 9.0.10, = 8.4.3, = 9.3.2, = 9.1.8, = 9.0.9, = 8.4.6, = 9.2.6, = 9.0.7, = 8.4.11, = 8.4.10, = 9.2.3, <= 8.4.19, = 9.1, = 9.0.4, = 8.4.9, = 9.1.9, = 9.1.7, = 9.1.6, = 9.0.8, = 9.1.2, = 9.1.3, = 9.0.5, = 9.0, = 8.4.2, = 8.4.16, = 9.1.11, = 9.1.10, = 9.2, = 9.1.1, = 9.0.12, = 9.0.2, = 8.4.7, = 8.4.13, = 8.4.12, = 9.2.5, = 9.0.14, = 9.0.1, = 8.4.5, = 9.2.4, = 8.4.17, = 9.2.2, = 9.0.3, = 8.4.15, = 8.4.14, = 9.3.1, = 9.0.154.6 MEDIUM

The "make check" command for the test suites in PostgreSQL 9.3.3 and earlier does not properly invoke initdb to specify the authentication requirements for a database cluster to be used for the tests, which allows local users to gain privileges by leveraging access to this cluster.

= 8.4.8, = 9.0.11, = 9.2.1, = 9.1.4, = 8.4.4, = 8.4.1, = 9.0.13, = 9.3, = 8.4.18, = 9.1.8, = 9.0.9, = 8.4.6, = 8.4.11, <= 8.4.19, = 9.1, = 9.2.6, = 9.0.4, = 8.4.9, = 9.3.2, = 9.1.9, = 9.1.5, = 9.0.7, = 9.0.6, = 9.0.10, = 8.4.3, = 8.4.10, = 9.2.3, = 9.2.2, = 9.1.2, = 9.1.3, = 9.1.7, = 9.0.8, = 9.0.2, = 8.4.5, = 8.4.12, = 9.2.5, = 9.2.4, = 9.2, = 9.1.1, = 9.0.3, = 9.0.12, = 8.4.7, = 8.4.14, = 8.4.13, = 9.0.15, = 9.0.14, = 9.0.5, = 9.0, = 8.4.2, = 8.4.16, = 8.4.15, = 9.3.1, = 9.1.10, = 9.1.6, = 9.0.1, = 9.1.11, = 8.4.174 MEDIUM

The chkpass extension in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 does not properly check the return value of the crypt library function, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) via unspecified vectors.

= 8.4.8, = 9.0.11, = 9.2.1, = 9.1.4, = 8.4.4, = 8.4.1, = 9.0.13, = 9.3, = 8.4.18, = 9.1.8, = 9.0.9, = 8.4.6, = 9.1, = 9.0.4, = 8.4.9, = 9.1.9, = 9.1.5, = 9.0.6, = 9.0.10, = 8.4.3, = 9.3.2, = 9.2.6, = 9.0.7, = 8.4.11, = 8.4.10, = 9.2.3, <= 8.4.19, = 9.2, = 9.1.1, = 9.0.12, = 9.0.2, = 8.4.7, = 8.4.13, = 9.2.2, = 9.1.3, = 9.0.3, = 8.4.15, = 8.4.14, = 9.3.1, = 9.0.15, = 9.1.2, = 9.0.5, = 9.0, = 8.4.2, = 8.4.16, = 9.1.11, = 9.1.10, = 8.4.12, = 9.2.5, = 9.0.14, = 9.1.7, = 9.1.6, = 9.0.8, = 9.0.1, = 8.4.5, = 9.2.4, = 8.4.174 MEDIUM

PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 does not properly enforce the ADMIN OPTION restriction, which allows remote authenticated members of a role to add or remove arbitrary users to that role by calling the SET ROLE command before the associated GRANT command.

= 8.2, = 8.2.1, = 8.2.2, = 8.2.3, = 8.2.4, = 8.2.5, = 8.2.6, = 8.2.7, = 8.2.8, = 8.2.9, = 8.2.10, = 8.2.11, = 8.2.12, = 8.2.13, = 8.2.14, = 8.2.15, = 8.2.16, = 8.2.17, = 8.2.18, = 8.3, = 8.3.1, = 8.3.2, = 8.3.3, = 8.3.4, = 8.3.5, = 8.3.6, = 8.3.7, = 8.3.8, = 8.3.9, = 8.3.10, = 8.3.11, = 8.3.12, = 8.3.13, = 8.3.14, = 8.3.15, = 8.3.16, = 8.3.17, = 8.3.18, = 8.3.19, = 8.3.20, = 8.3.21, = 8.3.22, = 8.4, = 8.4.1, = 8.4.2, = 8.4.3, = 8.4.4, = 8.4.5, = 8.4.6, = 8.4.7, = 8.4.8, = 8.4.9, = 8.4.10, = 8.4.11, = 8.4.12, = 8.4.13, = 8.4.14, = 8.4.15, = 8.4.16, = 9.0, = 9.0.1, = 9.0.2, = 9.0.3, = 9.0.4, = 9.0.5, = 9.0.6, = 9.0.7, = 9.0.8, = 9.0.9, = 9.0.10, = 9.0.11, = 9.0.12, = 9.1, = 9.1.1, = 9.1.2, = 9.1.3, = 9.1.4, = 9.1.5, = 9.1.6, = 9.1.7, = 9.1.8, = 9.2, = 9.2.1, = 9.2.2, = 9.2.36.8 MEDIUM

SQL injection vulnerability in Quassel IRC before 0.9.1, when Qt 4.8.5 or later and PostgreSQL 8.2 or later are used, allows remote attackers to execute arbitrary SQL commands via a \ (backslash) in a message.

= 9.2.1, = 9.2.3, = 9.2, = 9.2.2, = 9.1.4, = 9.1, = 9.1.5, = 9.1.8, = 9.1.2, = 9.1.6, = 9.1.7, = 9.1.3, = 9.1.14 MEDIUM

PostgreSQL 9.2.x before 9.2.4 and 9.1.x before 9.1.9 does not properly check REPLICATION privileges, which allows remote authenticated users to bypass intended backup restrictions by calling the (1) pg_start_backup or (2) pg_stop_backup functions.

= 9.2.1, = 9.2.3, = 9.2, = 9.2.2, = 9.1.4, = 9.1, = 9.1.5, = 9.1.8, = 9.1.2, = 9.1.6, = 9.1.7, = 9.1.3, = 9.1.1, = 9.0.11, = 9.0.7, = 9.0.6, = 9.0.10, = 9.0.4, = 9.0.9, = 9.0.1, = 9.0.3, = 9.0, = 9.0.12, = 9.0.5, = 9.0.2, = 9.0.8, = 8.4.8, = 8.4.4, = 8.4.1, = 8.4.9, = 8.4.3, = 8.4.10, = 8.4.11, = 8.4.6, = 8.4.15, = 8.4.14, = 8.4.12, = 8.4.13, = 8.4, = 8.4.16, = 8.4.5, = 8.4.7, = 8.4.2, = 8.3.6, = 8.3.17, = 8.3.21, = 8.3.3, = 8.3.2, = 8.3.12, = 8.3.18, = 8.3.20, = 8.3.14, = 8.3.7, = 8.3.1, = 8.3.4, = 8.3.8, = 8.3.19, = 8.3.5, = 8.3.16, = 8.3.22, = 8.3.9, = 8.3, = 8.3.11, = 8.3.15, = 8.3.10, = 8.3.1310 HIGH

PostgreSQL, possibly 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, 8.4.x before 8.4.17, and 8.3.x before 8.3.23 incorrectly provides the superuser password to scripts related to "graphical installers for Linux and Mac OS X," which has unspecified impact and attack vectors.

= 9.2.1, = 9.2.3, = 9.2, = 9.2.2, = 9.1.4, = 9.1, = 9.1.5, = 9.1.8, = 9.1.2, = 9.1.6, = 9.1.7, = 9.1.3, = 9.1.1, = 9.0.11, = 9.0.7, = 9.0.6, = 9.0.10, = 9.0.4, = 9.0.9, = 9.0.1, = 9.0.3, = 9.0, = 9.0.8, = 9.0.5, = 9.0.2, = 9.0.126.5 MEDIUM

Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows remote attackers to cause a denial of service (file corruption), and allows remote authenticated users to modify configuration settings and execute arbitrary code, via a connection request using a database name that begins with a "-" (hyphen).

= 9.2.1, = 9.2.3, = 9.2, = 9.2.2, = 9.1.4, = 9.1, = 9.1.5, = 9.1.8, = 9.1.2, = 9.1.6, = 9.1.7, = 9.1.3, = 9.1.1, = 9.0.11, = 9.0.7, = 9.0.6, = 9.0.10, = 9.0.4, = 9.0.9, = 9.0.1, = 9.0.3, = 9.0, = 9.0.12, = 9.0.5, = 9.0.2, = 9.0.8, = 8.4.8, = 8.4.4, = 8.4.1, = 8.4.9, = 8.4.3, = 8.4.10, = 8.4.11, = 8.4.6, = 8.4.15, = 8.4, = 8.4.16, = 8.4.5, = 8.4.7, = 8.4.12, = 8.4.2, = 8.4.13, = 8.4.148.5 HIGH

PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, and 8.4.x before 8.4.17, when using OpenSSL, generates insufficiently random numbers, which might allow remote authenticated users to have an unspecified impact via vectors related to the "contrib/pgcrypto functions."

= 9.2.1, = 9.2.3, = 9.2, = 9.2.2, = 9.1.4, = 9.1, = 9.1.5, = 9.1.8, = 9.1.2, = 9.1.6, = 9.1.7, = 9.1.3, = 9.1.1, = 9.0.11, = 9.0.7, = 9.0.6, = 9.0.10, = 9.0.4, = 9.0.9, = 9.0.1, = 9.0.3, = 9.0, = 9.0.2, = 9.0.8, = 9.0.12, = 9.0.5, = 8.4.8, = 8.4.4, = 8.4.1, = 8.4.9, = 8.4.3, = 8.4.10, = 8.4.11, = 8.4.6, = 8.4.15, = 8.4, = 8.4.16, = 8.4.5, = 8.4.7, = 8.4.14, = 8.4.12, = 8.4.2, = 8.4.13, = 8.3.6, = 8.3.17, = 8.3.21, = 8.3.3, = 8.3.2, = 8.3.12, = 8.3.18, = 8.3.20, = 8.3.14, = 8.3.5, = 8.3.16, = 8.3.22, = 8.3.9, = 8.3, = 8.3.11, = 8.3.15, = 8.3.10, = 8.3.13, = 8.3.7, = 8.3.1, = 8.3.4, = 8.3.8, = 8.3.1910 HIGH

PostgreSQL, 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, 8.4.x before 8.4.17, and 8.3.x before 8.3.23 generates insecure temporary files with predictable filenames, which has unspecified impact and attack vectors related to "graphical installers for Linux and Mac OS X."

= 8.3.6, = 8.3.17, = 8.3.21, = 8.3.3, = 8.3.2, = 8.3.12, = 8.3.18, = 8.3.20, = 8.3.14, = 8.3.16, = 8.3.8, = 8.3.22, = 8.3.1, = 8.3.19, = 8.3.5, = 8.3.9, = 8.3.11, = 8.3.7, = 8.3.15, = 8.3.4, = 8.3.10, = 8.3.13, = 8.3, = 8.4.8, = 8.4.4, = 8.4.1, = 8.4.9, = 8.4.3, = 8.4.10, = 8.4.11, = 8.4.6, = 8.4.15, = 8.4, = 8.4.14, = 8.4.13, = 8.4.7, = 8.4.12, = 8.4.5, = 8.4.2, = 9.0.11, = 9.0.7, = 9.0.6, = 9.0.10, = 9.0.4, = 9.0.9, = 9.0.1, = 9.0.3, = 9.0, = 9.0.2, = 9.0.5, = 9.0.8, = 9.1.4, = 9.1, = 9.1.5, = 9.1.2, = 9.1.6, = 9.1.7, = 9.1.3, = 9.1.1, = 9.2.1, = 9.2, = 9.2.26.8 MEDIUM

PostgreSQL 9.2.x before 9.2.3, 9.1.x before 9.1.8, 9.0.x before 9.0.12, 8.4.x before 8.4.16, and 8.3.x before 8.3.23 does not properly declare the enum_recv function in backend/utils/adt/enum.c, which causes it to be invoked with incorrect arguments and allows remote authenticated users to cause a denial of service (server crash) or read sensitive process memory via a crafted SQL command, which triggers an array index error and an out-of-bounds read.

all versions5 MEDIUM

The add_database function in objects.c in the pgbouncer pooler 1.5.2 for PostgreSQL allows remote attackers to cause a denial of service (daemon outage) via a long database name in a request.

= 9.17.5 HIGH

Interaction error in the PostgreSQL JDBC driver before 8.2, when used with a PostgreSQL server with the "standard_conforming_strings" option enabled, such as the default configuration of PostgreSQL 9.1, does not properly escape unspecified JDBC statement parameters, which allows remote attackers to perform SQL injection attacks. NOTE: as of 20120330, it was claimed that the upstream developer planned to dispute this issue, but an official dispute has not been posted as of 20121005.

= 9.1.4, = 9.1, = 9.1.2, = 9.1.3, = 9.1.1, = 8.4.8, = 8.4.4, = 8.4.1, = 8.4.9, = 8.4.3, = 8.4.10, = 8.4.11, = 8.4.6, = 8.4, = 8.4.12, = 8.4.7, = 8.4.5, = 8.4.2, = 8.3.6, = 8.3.17, = 8.3.3, = 8.3.2, = 8.3.12, = 8.3.18, = 8.3.14, = 8.3.1, = 8.3.5, = 8.3.13, = 8.3.15, = 8.3.16, = 8.3.10, = 8.3.9, = 8.3, = 8.3.19, = 8.3.11, = 8.3.4, = 8.3.8, = 8.3.7, = 9.0.7, = 9.0.6, = 9.0.4, = 9.0.1, = 9.0.3, = 9.0, = 9.0.2, = 9.0.5, = 9.0.84.9 MEDIUM

The libxslt support in contrib/xml2 in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 does not properly restrict access to files and URLs, which allows remote authenticated users to modify data, obtain sensitive information, or trigger outbound traffic to arbitrary external hosts by leveraging (1) stylesheet commands that are permitted by the libxslt security options or (2) an xslt_process feature, related to an XML External Entity (aka XXE) issue.

= 9.0.7, = 9.0.6, = 9.0.4, = 9.0.1, = 9.0.3, = 9.0, = 9.0.2, = 9.0.5, = 9.0.8, = 9.1.4, = 9.1, = 9.1.2, = 9.1.3, = 9.1.1, = 8.3.6, = 8.3.17, = 8.3.3, = 8.3.2, = 8.3.12, = 8.3.18, = 8.3.14, = 8.3.1, = 8.3.5, = 8.3.15, = 8.3.16, = 8.3.8, = 8.3, = 8.3.10, = 8.3.9, = 8.3.7, = 8.3.19, = 8.3.13, = 8.3.4, = 8.3.11, = 8.4.8, = 8.4.4, = 8.4.1, = 8.4.9, = 8.4.3, = 8.4.10, = 8.4.11, = 8.4.6, = 8.4, = 8.4.12, = 8.4.2, = 8.4.7, = 8.4.5, >= 8.3.0, < 8.3.20, >= 8.4.0, < 8.4.13, >= 9.1.0, < 9.1.5, >= 9.0.0, < 9.0.96.5 MEDIUM4 MEDIUM

The xml_parse function in the libxml2 support in the core server component in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 allows remote authenticated users to determine the existence of arbitrary files or URLs, and possibly obtain file or URL content that triggers a parsing error, via an XML value that refers to (1) a DTD or (2) an entity, related to an XML External Entity (aka XXE) issue.

= 8.3.6, = 8.3.17, = 8.3.3, = 8.3.2, = 8.3.12, = 8.3.14, = 8.3.1, = 8.3.5, = 8.3.8, = 8.3.10, = 8.3, = 8.3.13, = 8.3.4, = 8.3.11, = 8.3.15, = 8.3.9, = 8.3.7, = 8.3.16, = 8.4.8, = 8.4.4, = 8.4.1, = 8.4.9, = 8.4.3, = 8.4.10, = 8.4.6, = 8.4, = 8.4.5, = 8.4.7, = 8.4.2, = 9.0.6, = 9.0.4, = 9.0.1, = 9.0.3, = 9.0, = 9.0.2, = 9.0.5, = 9.1, = 9.1.2, = 9.1.16.8 MEDIUM

CRLF injection vulnerability in pg_dump in PostgreSQL 8.3.x before 8.3.18, 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 allows user-assisted remote attackers to execute arbitrary SQL commands via a crafted file containing object names with newlines, which are inserted into an SQL script that is used when the database is restored.

= 8.3.6, = 8.3.17, = 8.3.3, = 8.3.2, = 8.3.12, = 8.3.18, = 8.3.14, = 8.3.1, = 8.3.5, = 8.3.13, = 8.3.4, = 8.3.11, = 8.3.8, = 8.3.7, = 8.3.16, = 8.3.15, = 8.3.10, = 8.3.9, = 8.3, = 8.4.8, = 8.4.4, = 8.4.1, = 8.4.9, = 8.4.3, = 8.4.10, = 8.4.11, = 8.4.6, = 8.4, = 8.4.2, = 8.4.5, = 8.4.7, = 9.0.7, = 9.0.6, = 9.0.4, = 9.0.1, = 9.0.3, = 9.0, = 9.0.2, = 9.0.5, = 9.1, = 9.1.2, = 9.1.3, = 9.1.14 MEDIUM

PostgreSQL 8.3.x before 8.3.19, 8.4.x before 8.4.12, 9.0.x before 9.0.8, and 9.1.x before 9.1.4 allows remote authenticated users to cause a denial of service (server crash) by adding the (1) SECURITY DEFINER or (2) SET attributes to a procedural language's call handler.

= 8.3.6, = 8.3.17, = 8.3.3, = 8.3.2, = 8.3.12, = 8.3.14, = 8.3.1, = 8.3.5, = 8.3.8, = 8.3.7, = 8.3.16, = 8.3.15, = 8.3.13, = 8.3, = 8.3.11, = 8.3.4, = 8.3.10, = 8.3.9, = 8.4.8, = 8.4.4, = 8.4.1, = 8.4.9, = 8.4.3, = 8.4.10, = 8.4.6, = 8.4, = 8.4.5, = 8.4.2, = 8.4.7, = 9.0.6, = 9.0.4, = 9.0.1, = 9.0.3, = 9.0, = 9.0.2, = 9.0.5, = 9.1, = 9.1.2, = 9.1.16.5 MEDIUM

CREATE TRIGGER in PostgreSQL 8.3.x before 8.3.18, 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 does not properly check the execute permission for trigger functions marked SECURITY DEFINER, which allows remote authenticated users to execute otherwise restricted triggers on arbitrary data by installing the trigger on an attacker-owned table.

= 8.4.8, = 8.4.4, = 8.4.1, = 8.4.9, = 8.4.3, = 8.4.10, = 8.4.6, = 8.4, = 8.4.5, = 8.4.2, = 8.4.7, = 9.0.6, = 9.0.4, = 9.0.1, = 9.0.3, = 9.0, = 9.0.2, = 9.0.5, = 9.1, = 9.1.2, = 9.1.14.3 MEDIUM

PostgreSQL 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 truncates the common name to only 32 characters when verifying SSL certificates, which allows remote attackers to spoof connections when the host name is exactly 32 characters.

= 9.1, = 8.4, = 8.3, = 9.0, >= 8.3, < 8.3.19, >= 8.4, < 8.4.12, >= 9.0, < 9.0.8, >= 9.1, < 9.1.44.3 MEDIUM

The crypt_des (aka DES-based crypt) function in FreeBSD before 9.0-RELEASE-p2, as used in PHP, PostgreSQL, and other products, does not process the complete cleartext password if this password contains a 0x80 character, which makes it easier for context-dependent attackers to obtain access via an authentication attempt with an initial substring of the intended password, as demonstrated by a Unicode password.

>= 8.2.0, < 8.2.22, >= 8.3.0, < 8.3.16, >= 8.4.0, < 8.4.9, >= 9.0.0, < 9.0.55 MEDIUM

crypt_blowfish before 1.1, as used in PHP before 5.3.7 on certain platforms, PostgreSQL before 8.4.9, and other products, does not properly handle 8-bit characters, which makes it easier for context-dependent attackers to determine a cleartext password by leveraging knowledge of a password hash.

= 8.3.6, = 8.3.3, = 8.3.2, = 8.3.12, = 8.3.1, = 8.3.5, = 8.3.8, = 8.3.7, = 8.3.10, = 8.3.13, = 8.3.11, = 8.3.4, = 8.3.9, = 8.3, = 9.0.1, = 9.0, = 9.0.2, = 8.4.4, = 8.4.1, = 8.4.3, = 8.4.6, = 8.4, = 8.4.5, = 8.4.2, = 8.2.9, = 8.2.17, = 8.2.10, = 8.2.15, = 8.2.4, = 8.2.11, = 8.2.12, = 8.2.2, = 8.2.19, = 8.2.14, = 8.2.7, = 8.2.6, = 8.2.3, = 8.2.16, = 8.2.8, = 8.2.13, = 8.2.5, = 8.2, = 8.2.1, = 8.2.186.5 MEDIUM

Buffer overflow in the gettoken function in contrib/intarray/_int_bool.c in the intarray array module in PostgreSQL 9.0.x before 9.0.3, 8.4.x before 8.4.7, 8.3.x before 8.3.14, and 8.2.x before 8.2.20 allows remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via integers with a large number of digits to unspecified functions.

all versions6 MEDIUM

The PL/php add-on 1.4 and earlier for PostgreSQL does not properly protect script execution by a different SQL user identity within the same session, which allows remote authenticated users to gain privileges via crafted script code in a SECURITY DEFINER function, a related issue to CVE-2010-3433.

= 7.4.16, = 7.4.24, = 7.4.22, = 7.4.21, = 7.4.19, = 7.4.15, = 7.4.1, = 7.4.14, = 7.4.26, = 7.4.5, = 7.4.4, = 7.4.28, = 7.4.18, = 7.4.23, = 7.4.12, = 7.4.17, = 7.4.9, = 7.4.10, = 7.4.7, = 7.4.6, = 7.4, = 7.4.25, = 7.4.3, = 7.4.29, = 7.4.8, = 7.4.27, = 7.4.11, = 7.4.13, = 7.4.2, = 7.4.20, = 8.0.7, = 8.0.2, = 8.0.22, = 8.0.25, = 8.0.17, = 8.0.10, = 8.0.12, = 8.0.9, = 8.0.15, = 8.0.14, = 8.0.1, = 8.0.18, = 8.0.5, = 8.0.6, = 8.0.11, = 8.0.20, = 8.0.13, = 8.0.4, = 8.0.21, = 8.0.24, = 8.0.23, = 8.0.19, = 8.0, = 8.0.3, = 8.0.16, = 8.0.8, = 8.1.10, = 8.1.6, = 8.1.15, = 8.1.7, = 8.1.20, = 8.1, = 8.1.19, = 8.1.13, = 8.1.3, = 8.1.2, = 8.1.11, = 8.1.12, = 8.1.16, = 8.1.4, = 8.1.5, = 8.1.14, = 8.1.21, = 8.1.1, = 8.1.8, = 8.1.9, = 8.1.17, = 8.1.18, = 8.2.9, = 8.2.17, = 8.2.10, = 8.2.15, = 8.2.4, = 8.2.11, = 8.2.12, = 8.2.2, = 8.2.5, = 8.2, = 8.2.7, = 8.2.14, = 8.2.1, = 8.2.3, = 8.2.8, = 8.2.13, = 8.2.16, = 8.2.6, = 8.3.6, = 8.3.3, = 8.3.2, = 8.3.1, = 8.3.5, = 8.3.8, = 8.3.7, = 8.3.10, = 8.3, = 8.3.4, = 8.3.9, = 8.3.11, = 8.4.4, = 8.4.1, = 8.4.3, = 8.4, = 8.4.2, = 9.06 MEDIUM

The PL/perl and PL/Tcl implementations in PostgreSQL 7.4 before 7.4.30, 8.0 before 8.0.26, 8.1 before 8.1.22, 8.2 before 8.2.18, 8.3 before 8.3.12, 8.4 before 8.4.5, and 9.0 before 9.0.1 do not properly protect script execution by a different SQL user identity within the same session, which allows remote authenticated users to gain privileges via crafted script code in a SECURITY DEFINER function, as demonstrated by (1) redefining standard functions or (2) redefining operators, a different vulnerability than CVE-2010-1168, CVE-2010-1169, CVE-2010-1170, and CVE-2010-1447.

= 7.4.16, = 7.4.24, = 7.4.22, = 7.4.21, = 7.4.19, = 7.4.15, = 7.4.1, = 7.4.14, = 7.4.26, = 7.4.5, = 7.4.4, = 7.4, = 7.4.28, = 7.4.27, = 7.4.3, = 7.4.8, = 7.4.18, = 7.4.25, = 7.4.7, = 7.4.10, = 7.4.6, = 7.4.9, = 7.4.11, = 7.4.23, = 7.4.12, = 7.4.20, = 7.4.17, = 7.4.2, = 7.4.13, = 8.0.7, = 8.0.2, = 8.0.22, = 8.0.17, = 8.0.10, = 8.0.12, = 8.0.9, = 8.0.15, = 8.0.0, = 8.0.14, = 8.0.19, = 8.0.1, = 8.0.18, = 8.0.5, = 8.0.6, = 8.0.20, = 8.0.23, = 8.0.13, = 8.0.4, = 8.0.21, = 8.0.24, = 8.0.11, = 8.0, = 8.0.3, = 8.0.16, = 8.0.8, = 8.1.10, = 8.1.6, = 8.1.15, = 8.1.7, = 8.1.20, = 8.1, = 8.1.19, = 8.1.13, = 8.1.0, = 8.1.2, = 8.1.5, = 8.1.4, = 8.1.18, = 8.1.8, = 8.1.3, = 8.1.17, = 8.1.11, = 8.1.16, = 8.1.14, = 8.1.12, = 8.1.9, = 8.1.1, = 8.2.9, = 8.2.10, = 8.2.15, = 8.2.4, = 8.2.11, = 8.2.12, = 8.2.2, = 8.2.5, = 8.2.1, = 8.2.14, = 8.2, = 8.2.7, = 8.2.6, = 8.2.16, = 8.2.8, = 8.2.13, = 8.2.3, = 8.3.6, = 8.3.3, = 8.3.2, = 8.3.1, = 8.3.5, = 8.3.8, = 8.3.7, = 8.3.10, = 8.3, = 8.3.4, = 8.3.9, = 8.4.1, = 8.4.3, = 8.4, = 8.4.2, = 9.0.06 MEDIUM

The PL/Tcl implementation in PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, 8.4 before 8.4.4, and 9.0 Beta before 9.0 Beta 2 loads Tcl code from the pltcl_modules table regardless of the table's ownership and permissions, which allows remote authenticated users, with database-creation privileges, to execute arbitrary Tcl code by creating this table and inserting a crafted Tcl script.

= 7.4.16, = 7.4.24, = 7.4.22, = 7.4.21, = 7.4.19, = 7.4.15, = 7.4.1, = 7.4.14, = 7.4.26, = 7.4.6, = 7.4.11, = 7.4.23, = 7.4.20, = 7.4.4, = 7.4.7, = 7.4.10, = 7.4.27, = 7.4.3, = 7.4.9, = 7.4.8, = 7.4.18, = 7.4.12, = 7.4.25, = 7.4.17, = 7.4.5, = 7.4, = 7.4.28, = 7.4.2, = 7.4.13, = 8.0.7, = 8.0.2, = 8.0.22, = 8.0.17, = 8.0.10, = 8.0.12, = 8.0.9, = 8.0.15, = 8.0.0, = 8.0.20, = 8.0, = 8.0.4, = 8.0.3, = 8.0.21, = 8.0.23, = 8.0.13, = 8.0.24, = 8.0.11, = 8.0.1, = 8.0.16, = 8.0.8, = 8.0.5, = 8.0.14, = 8.0.18, = 8.0.19, = 8.0.6, = 8.1.10, = 8.1.6, = 8.1.15, = 8.1.7, = 8.1.20, = 8.1, = 8.1.19, = 8.1.13, = 8.1.0, = 8.1.9, = 8.1.1, = 8.1.12, = 8.1.4, = 8.1.14, = 8.1.3, = 8.1.11, = 8.1.2, = 8.1.5, = 8.1.17, = 8.1.18, = 8.1.16, = 8.1.8, = 8.2.9, = 8.2.10, = 8.2.15, = 8.2.4, = 8.2.11, = 8.2.12, = 8.2.2, = 8.2.5, = 8.2.1, = 8.2.3, = 8.2.13, = 8.2.8, = 8.2, = 8.2.7, = 8.2.6, = 8.2.16, = 8.2.14, = 8.3.6, = 8.3.3, = 8.3.2, = 8.3.1, = 8.3.5, = 8.3.8, = 8.3.7, = 8.3.10, = 8.3, = 8.3.9, = 8.3.4, = 8.4.1, = 8.4.3, = 8.4, = 8.4.2, = 9.0.05.5 MEDIUM

PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, and 8.4 before 8.4.4 does not properly check privileges during certain RESET ALL operations, which allows remote authenticated users to remove arbitrary parameter settings via a (1) ALTER USER or (2) ALTER DATABASE statement.

= 7.4.16, = 7.4.24, = 7.4.22, = 7.4.21, = 7.4.19, = 7.4.15, = 7.4.1, = 7.4.14, = 7.4.26, = 7.4.6, = 7.4.11, = 7.4.23, = 7.4.20, = 7.4.4, = 7.4.7, = 7.4.10, = 7.4.27, = 7.4.3, = 7.4.9, = 7.4.8, = 7.4.12, = 7.4.25, = 7.4.17, = 7.4.5, = 7.4.18, = 7.4, = 7.4.28, = 7.4.2, = 7.4.13, = 8.0.7, = 8.0.2, = 8.0.22, = 8.0.17, = 8.0.10, = 8.0.12, = 8.0.9, = 8.0.15, = 8.0.0, = 8.0.20, = 8.0.13, = 8.0.4, = 8.0.3, = 8.0.21, = 8.0.11, = 8.0.23, = 8.0.24, = 8.0, = 8.0.16, = 8.0.8, = 8.0.5, = 8.0.1, = 8.0.14, = 8.0.18, = 8.0.19, = 8.0.6, = 8.1.10, = 8.1.6, = 8.1.15, = 8.1.7, = 8.1.20, = 8.1, = 8.1.19, = 8.1.13, = 8.1.0, = 8.1.1, = 8.1.12, = 8.1.5, = 8.1.4, = 8.1.14, = 8.1.8, = 8.1.9, = 8.1.11, = 8.1.3, = 8.1.2, = 8.1.17, = 8.1.18, = 8.1.16, = 8.2.9, = 8.2.10, = 8.2.15, = 8.2.4, = 8.2.11, = 8.2.12, = 8.2.2, = 8.2.5, = 8.2.1, = 8.2.3, = 8.2.13, = 8.2.8, = 8.2, = 8.2.7, = 8.2.16, = 8.2.6, = 8.2.14, = 8.3.6, = 8.3.3, = 8.3.2, = 8.3.1, = 8.3.5, = 8.3.8, = 8.3.7, = 8.3.10, = 8.3, = 8.3.4, = 8.3.9, = 8.4.1, = 8.4.3, = 8.4, = 8.4.2, = 9.0.08.5 HIGH

The Safe (aka Safe.pm) module 2.26, and certain earlier versions, for Perl, as used in PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, 8.4 before 8.4.4, and 9.0 Beta before 9.0 Beta 2, allows context-dependent attackers to bypass intended (1) Safe::reval and (2) Safe::rdo access restrictions, and inject and execute arbitrary code, via vectors involving subroutine references and delayed execution.

= 7.4.16, = 7.4.24, = 7.4.22, = 7.4.21, = 7.4.19, = 7.4.15, = 7.4.1, = 7.4.14, = 7.4.26, = 7.4.5, = 7.4.4, = 7.4, = 7.4.28, = 7.4.27, = 7.4.3, = 7.4.8, = 7.4.18, = 7.4.25, = 7.4.7, = 7.4.10, = 7.4.6, = 7.4.9, = 7.4.11, = 7.4.23, = 7.4.12, = 7.4.20, = 7.4.17, = 7.4.2, = 7.4.13, = 8.0.7, = 8.0.2, = 8.0.22, = 8.0.17, = 8.0.10, = 8.0.12, = 8.0.9, = 8.0.15, = 8.0.0, = 8.0.1, = 8.0.14, = 8.0.18, = 8.0.19, = 8.0.6, = 8.0, = 8.0.16, = 8.0.8, = 8.0.5, = 8.0.11, = 8.0.23, = 8.0.13, = 8.0.24, = 8.0.20, = 8.0.4, = 8.0.3, = 8.0.21, = 8.1.10, = 8.1.6, = 8.1.15, = 8.1.7, = 8.1.20, = 8.1, = 8.1.19, = 8.1.13, = 8.1.0, = 8.1.2, = 8.1.5, = 8.1.4, = 8.1.18, = 8.1.8, = 8.1.3, = 8.1.17, = 8.1.11, = 8.1.16, = 8.1.14, = 8.1.12, = 8.1.9, = 8.1.1, = 8.2.9, = 8.2.10, = 8.2.15, = 8.2.4, = 8.2.11, = 8.2.12, = 8.2.2, = 8.2.5, = 8.2.1, = 8.2.14, = 8.2, = 8.2.7, = 8.2.6, = 8.2.16, = 8.2.8, = 8.2.13, = 8.2.3, = 8.3.6, = 8.3.3, = 8.3.2, = 8.3.1, = 8.3.5, = 8.3.8, = 8.3.7, = 8.3.10, = 8.3, = 8.3.4, = 8.3.9, = 8.4.1, = 8.4.3, = 8.4, = 8.4.2, = 9.0.08.5 HIGH

PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, 8.4 before 8.4.4, and 9.0 Beta before 9.0 Beta 2 does not properly restrict PL/perl procedures, which allows remote authenticated users, with database-creation privileges, to execute arbitrary Perl code via a crafted script, related to the Safe module (aka Safe.pm) for Perl. NOTE: some sources report that this issue is the same as CVE-2010-1447.

= 8.1.10, = 8.1.6, = 8.2.9, = 8.0.7, = 8.0.2, = 8.1.15, = 8.1.7, = 8.3.6, = 8.2.10, = 8.0.22, = 8.0.10, = 8.2.4, = 8.0.9, = 8.1, = 8.3.3, = 8.0.17, = 8.2.15, = 8.0.0, = 8.1.0, = 8.0.12, = 8.0.15, = 8.2.2, = 8.2.12, = 8.2.11, = 8.1.13, = 8.1.20, = 8.1.19, = 8.1.17, = 8.3.8, = 8.2.5, = 8.0.3, = 8.1.9, = 8.3.7, = 8.1.11, = 8.0.16, = 8.3, = 8.1.18, = 8.0.13, = 8.1.1, = 8.2.1, = 8.3.1, = 8.3.4, = 8.3.10, = 8.1.8, = 8.0.20, = 8.0.6, = 8.1.3, = 8.2.6, = 8.3.2, = 8.1.12, = 8.1.14, = 8.5, = 8.0.24, = 8.4, = 8.0.1, = 8.0.8, = 8.1.4, = 8.3.5, = 8.2.7, = 8.0.18, = 8.0.19, <= 8.4.1, = 8.0.11, = 8.0.21, = 8.2.16, = 8.0.23, = 8.0.317, = 8.0, = 8.0.4, = 8.2.8, = 8.2.13, = 8.3.9, = 8.1.16, = 8.0.14, = 8.0.5, = 8.2, = 8.2.3, = 8.2.14, = 8.1.5, = 8.1.23.5 LOW

Integer overflow in src/backend/executor/nodeHash.c in PostgreSQL 8.4.1 and earlier, and 8.5 through 8.5alpha2, allows remote authenticated users to cause a denial of service (daemon crash) via a SELECT statement with many LEFT JOIN clauses, related to certain hashtable size calculations.

= 8.3.8, = 8.1.11, = 8.0.23, >= 8.4, < 8.4.3, >= 8.3, < 8.3.10, >= 8.2, < 8.2.16, >= 8.1, < 8.1.20, >= 8.0, < 8.0.24, >= 7.4, < 7.4.286.5 MEDIUM

The bitsubstr function in backend/utils/adt/varbit.c in PostgreSQL 8.0.23, 8.1.11, and 8.3.8 allows remote authenticated users to cause a denial of service (daemon crash) or have unspecified other impact via vectors involving a negative integer in the third argument, as demonstrated by a SELECT statement that contains a call to the substring function for a bit string, related to an "overflow."

= 7.4.16, = 8.1.10, = 8.1.6, = 8.2.9, = 8.0.7, = 8.0.2, = 8.1.15, = 8.1.7, = 8.3.6, = 7.4.24, = 7.4.15, = 7.4.21, = 8.0.9, = 8.0.22, = 8.2.4, = 8.2.10, = 8.4.1, = 7.4.22, = 8.0.12, = 8.1.13, = 8.2.11, = 7.4.1, = 8.0.17, = 7.4.19, = 8.0.10, = 8.0.15, = 8.2.12, = 7.4.9, = 7.4.14, = 8.0.16, = 8.1.3, = 8.3.8, = 8.3.3, = 7.4.5, = 7.4.4, = 7.4.11, = 7.4.23, = 8.0.20, = 8.0.0, = 8.0.8, = 8.1.0, = 8.1.11, = 8.2.2, = 8.2.6, = 8.3.5, = 8.3.2, = 7.4.3, = 7.4.8, = 7.4.18, = 7.4.17, = 7.4.26, = 8.0.3, = 8.0.18, = 8.1.9, = 8.2.1, = 8.2.7, = 7.4.7, = 7.4.6, = 7.4.25, = 8.0.6, = 8.1.14, = 8.2.5, = 8.3.1, = 7.4.20, = 8.0.1, = 8.0.13, = 8.1.8, = 8.1.2, = 8.1.17, = 8.2, = 7.4.10, = 8.0.19, = 8.2.14, = 7.4.2, = 8.0.11, = 8.0.4, = 8.1.16, = 8.1.18, = 8.2.3, = 8.3.7, = 7.4.12, = 7.4.13, = 8.0.14, = 8.0.5, = 8.0.21, = 8.1.1, = 8.1.4, = 8.1.5, = 8.1.12, = 8.2.8, = 8.2.13, = 8.3.46.5 MEDIUM

PostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23, 8.1.x before 8.1.19, 8.2.x before 8.2.15, 8.3.x before 8.3.9, and 8.4.x before 8.4.2 does not properly manage session-local state during execution of an index function by a database superuser, which allows remote authenticated users to gain privileges via a table with crafted index functions, as demonstrated by functions that modify (1) search_path or (2) a prepared statement, a related issue to CVE-2007-6600 and CVE-2009-3230.

= 7.4.16, = 8.1.10, = 8.1.6, = 8.2.9, = 8.0.7, = 8.0.2, = 8.1.15, = 8.1.7, = 8.3.6, = 7.4.1, = 8.0.17, = 7.4.24, = 7.4.19, = 8.0.15, = 8.2.12, = 7.4.22, = 8.0.10, = 8.0.12, = 8.1.13, = 8.2.11, = 7.4.15, = 7.4.21, = 8.0.9, = 8.0.22, = 8.2.4, = 8.2.10, = 8.4.1, = 7.4.3, = 7.4.18, = 7.4.17, = 7.4.26, = 8.0.20, = 8.0.3, = 8.0.18, = 8.1.9, = 8.2.7, = 8.2.6, = 7.4.6, = 7.4.25, = 8.0.6, = 8.1.14, = 8.2.5, = 8.3.1, = 7.4.5, = 7.4.4, = 7.4.7, = 7.4.11, = 7.4.23, = 8.0.0, = 8.0.8, = 8.1.0, = 8.1.11, = 8.2.2, = 8.3.5, = 8.3.2, = 7.4.9, = 7.4.8, = 7.4.14, = 8.0.16, = 8.1.3, = 8.2.1, = 8.3.8, = 8.3.3, = 7.4.2, = 8.0.11, = 8.0.4, = 8.1.16, = 8.1.18, = 8.2.3, = 8.3.7, = 7.4.12, = 7.4.13, = 8.0.14, = 8.0.1, = 8.0.5, = 8.0.21, = 8.1.4, = 8.1.5, = 8.1.12, = 8.2.8, = 8.2.13, = 8.3.4, = 7.4.10, = 8.0.19, = 8.1.1, = 8.2.14, = 7.4.20, = 8.0.13, = 8.1.8, = 8.1.2, = 8.1.17, = 8.25.8 MEDIUM

PostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23, 8.1.x before 8.1.19, 8.2.x before 8.2.15, 8.3.x before 8.3.9, and 8.4.x before 8.4.2 does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which (1) allows man-in-the-middle attackers to spoof arbitrary SSL-based PostgreSQL servers via a crafted server certificate issued by a legitimate Certification Authority, and (2) allows remote attackers to bypass intended client-hostname restrictions via a crafted client certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.

all versions7.5 HIGH

The postgresql-ocaml bindings 1.5.4, 1.7.0, and 1.12.1 for PostgreSQL libpq do not properly support the PQescapeStringConn function, which might allow remote attackers to leverage escaping issues involving multibyte character encodings.

= 8.2.9, = 8.3.6, = 8.2.10, = 8.2.4, = 8.2.11, = 8.2.12, = 8.2.2, = 8.3.3, = 8.3.2, = 8.3.5, = 8.2.3, = 8.2.7, = 8.3.1, = 8.2.5, = 8.2, = 8.2.8, = 8.3.4, = 8.2.6, = 8.3, = 8.3.7, = 8.2.1, = 8.2.13, >= 8.2, < 8.2.14, >= 8.3, < 8.3.86.8 MEDIUM

The core server component in PostgreSQL 8.3 before 8.3.8 and 8.2 before 8.2.14, when using LDAP authentication with anonymous binds, allows remote attackers to bypass authentication via an empty password.

= 8.2.9, = 8.3.6, = 8.2.10, = 8.2.4, = 8.2.11, = 8.2.12, = 8.2.2, = 8.3.3, = 8.3.2, = 8.4, = 8.3, = 8.3.7, = 8.2.1, = 8.2.13, = 8.3.5, = 8.2.3, = 8.2.7, = 8.3.1, = 8.2.5, = 8.2, = 8.2.8, = 8.3.4, = 8.2.64 MEDIUM

The core server component in PostgreSQL 8.4 before 8.4.1, 8.3 before 8.3.8, and 8.2 before 8.2.14 allows remote authenticated users to cause a denial of service (backend shutdown) by "re-LOAD-ing" libraries from a certain plugins directory.

= 7.4.16, = 8.1.10, = 8.1.6, = 8.2.9, = 8.0.7, = 8.0.2, = 8.1.15, = 8.1.7, = 8.3.6, = 8.2.2, = 8.2.10, = 8.1.13, = 8.0.12, = 7.4.15, = 8.2.11, = 8.1, = 8.0.15, = 7.4.19, = 8.2.4, = 8.2.12, = 7.4.1, = 8.0.9, = 8.0.10, = 8.0.17, = 7.4.24, = 7.4.21, = 7.4.22, = 8.4, = 8.2.1, = 8.1.3, = 8.1.4, = 8.0.3, = 8.0.20, = 7.4.14, = 7.4.4, = 7.4.5, = 7.4.23, = 7.4.25, = 8.3.3, = 8.2.5, = 8.2.6, = 8.0.8, = 8.0.16, = 7.4.11, = 7.4.18, = 7.4.8, = 8.3.1, = 8.3.2, = 8.1.14, = 8.0.6, = 8.0.13, = 7.4, = 7.4.17, = 7.4.6, = 7.4.7, = 7.4.9, = 8.3.5, = 8.3.7, = 8.2.7, = 8.1.9, = 8.1.11, = 8.0.18, = 7.4.3, = 8.2, = 8.1.12, = 8.0.4, = 8.0.11, = 8.0.21, = 8.3.4, = 8.1.8, = 8.1.16, = 8.0, = 7.4.10, = 7.4.2, = 7.4.20, = 8.2.3, = 8.2.13, = 8.1.5, = 8.0.5, = 8.0.14, = 8.2.8, = 8.1.1, = 8.1.2, = 8.0.1, = 8.0.19, = 7.4.12, = 7.4.136.5 MEDIUM

The core server component in PostgreSQL 8.4 before 8.4.1, 8.3 before 8.3.8, 8.2 before 8.2.14, 8.1 before 8.1.18, 8.0 before 8.0.22, and 7.4 before 7.4.26 does not use the appropriate privileges for the (1) RESET ROLE and (2) RESET SESSION AUTHORIZATION operations, which allows remote authenticated users to gain privileges. NOTE: this is due to an incomplete fix for CVE-2007-6600.

= 8.3.6, = 7.4.24, = 8.2.12, = 8.0.20, = 8.1.164 MEDIUM

PostgreSQL before 8.3.7, 8.2.13, 8.1.17, 8.0.21, and 7.4.25 allows remote authenticated users to cause a denial of service (stack consumption and crash) by triggering a failure in the conversion of a localized error message to a client-specified encoding, as demonstrated using mismatched encoding conversion requests.

= 7.4.16, = 8.0.7, = 8.0.2, = 8.1.7, = 7.3.3, = 8.2.4, = 7.3, = 8.0.9, = 7.3.10, = 7.4.11, = 7.4.3, = 7.3.15, = 7.3.16, = 7.4.1, = 7.4.17, = 7.4.9, = 8.1.9, = 7.3.9, = 7.4.14, = 7.4.7, = 7.3.11, = 7.3.6, = 7.4.6, = 8.0.3, = 8.1.3, = 8.2.2, = 7.3.1, = 7.3.19, = 7.3.2, = 7.4.10, = 7.4.4, = 8.0.11, = 8.0.13, = 7.4, = 7.4.2, = 8.0, = 8.0.1, = 8.0.5, = 8.1.8, = 8.0.8, = 8.2, = 7.3.13, = 7.3.14, = 7.3.8, = 7.4.8, = 8.0.317, = 8.0.4, = 8.1.4, = 8.1.5, = 7.3.12, = 7.3.4, = 7.4.12, = 7.4.13, = 7.4.5, = 8.1.1, = 8.2.36.8 MEDIUM

The regular expression parser in TCL before 8.4.17, as used in PostgreSQL 8.2 before 8.2.6, 8.1 before 8.1.11, 8.0 before 8.0.15, and 7.4 before 7.4.19, allows remote authenticated users to cause a denial of service (backend crash) via an out-of-bounds backref number.

= 7.4.16, = 8.0.7, = 8.0.2, = 8.1.7, = 7.3.3, = 8.2.4, = 7.3, = 8.0.9, = 7.4.1, = 7.3.9, = 7.4.14, = 7.3.15, = 7.3.16, = 7.4.17, = 7.3.11, = 7.3.6, = 7.4.7, = 7.4.9, = 7.4.5, = 7.4.6, = 8.0.3, = 8.1.3, = 8.2.2, = 7.3.10, = 7.4.11, = 7.4.3, = 8.1.9, = 7.3.13, = 7.3.14, = 7.3.8, = 7.3.19, = 7.4, = 7.4.2, = 8.0, = 8.0.1, = 7.3.12, = 7.3.4, = 7.4.12, = 7.4.8, = 8.0.317, = 8.0.4, = 8.1.4, = 8.1.5, = 7.4.13, = 8.1.1, = 8.2.3, = 8.0.5, = 8.1.8, = 7.3.1, = 7.3.2, = 7.4.10, = 7.4.4, = 8.0.11, = 8.0.13, = 8.0.8, = 8.2, >= 7.3.0, < 7.3.21, >= 7.4.0, < 7.4.19, >= 8.0.0, < 8.0.15, >= 8.1.0, < 8.1.11, >= 8.2.0, < 8.2.67.2 HIGH

The DBLink module in PostgreSQL 8.2 before 8.2.6, 8.1 before 8.1.11, 8.0 before 8.0.15, 7.4 before 7.4.19, and 7.3 before 7.3.21, when local trust or ident authentication is used, allows remote attackers to gain privileges via unspecified vectors. NOTE: this issue exists because of an incomplete fix for CVE-2007-3278.

= 7.4.16, = 8.1.10, = 8.1.6, = 8.0.7, = 8.0.2, = 8.1.7, = 7.3.3, = 8.2.4, = 7.3, = 7.3.9, = 7.4.14, = 7.4.7, = 8.2.5, = 8.0.0, = 7.3.10, = 7.4.11, = 8.0.9, = 8.2.2, = 7.3.18, = 7.3.15, = 7.3.16, = 7.4.1, = 8.0.12, = 8.0.10, = 7.4.6, = 8.0.3, = 8.1.3, = 7.3.13, = 7.3.14, = 7.3.8, = 7.4.8, = 8.0.4, = 8.0.5, = 8.1.5, = 8.0.14, = 7.4.18, = 7.3.1, = 7.3.19, = 7.3.2, = 7.4.10, = 7.4.3, = 7.4.4, = 8.0.13, = 8.1.1, = 8.0.6, = 8.2.1, = 7.3.17, = 7.4, = 7.4.17, = 7.4.9, = 8.0.1, = 8.0.8, = 8.1.8, = 8.1.9, = 7.3.5, = 7.3.7, = 7.3.11, = 7.3.12, = 7.3.6, = 7.4.12, = 7.4.5, = 8.1.4, = 8.2.3, = 8.0.11, = 8.2, = 7.4.2, = 8.0, = 7.3.4, = 7.4.13, = 8.1.26.5 MEDIUM

PostgreSQL 8.2 before 8.2.6, 8.1 before 8.1.11, 8.0 before 8.0.15, 7.4 before 7.4.19, and 7.3 before 7.3.21 uses superuser privileges instead of table owner privileges for (1) VACUUM and (2) ANALYZE operations within index functions, and supports (3) SET ROLE and (4) SET SESSION AUTHORIZATION within index functions, which allows remote authenticated users to gain privileges.

= 7.4.16, = 8.0.7, = 8.0.2, = 8.1.7, = 7.3.3, = 8.2.4, = 7.3, = 8.0.9, = 7.3.10, = 7.3.11, = 7.4.11, = 7.3.15, = 7.3.9, = 7.4.17, = 7.4.9, = 7.3.16, = 7.4.1, = 7.4.3, = 8.1.9, = 8.2.2, = 7.3.6, = 7.4.14, = 7.4.6, = 7.4.7, = 8.0.3, = 8.1.3, = 7.3.4, = 7.4.12, = 7.4.4, = 7.4.5, = 8.0.13, = 7.3.14, = 7.4, = 7.4.8, = 8.0, = 8.0.4, = 8.0.5, = 8.1.5, = 7.3.1, = 7.3.19, = 7.3.2, = 7.4.10, = 7.4.2, = 8.0.1, = 8.0.11, = 8.0.8, = 8.1.8, = 8.1.1, = 8.2, = 7.3.12, = 7.3.13, = 7.3.8, = 7.4.13, = 8.0.317, = 8.1.4, = 8.2.36.8 MEDIUM

Algorithmic complexity vulnerability in the regular expression parser in TCL before 8.4.17, as used in PostgreSQL 8.2 before 8.2.6, 8.1 before 8.1.11, 8.0 before 8.0.15, and 7.4 before 7.4.19, allows remote authenticated users to cause a denial of service (memory consumption) via a crafted "complex" regular expression with doubly-nested states.

>= 7.4, < 7.4.19, >= 8.0, < 8.0.15, >= 8.1, < 8.1.11, >= 8.2, < 8.2.64 MEDIUM

The regular expression parser in TCL before 8.4.17, as used in PostgreSQL 8.2 before 8.2.6, 8.1 before 8.1.11, 8.0 before 8.0.15, and 7.4 before 7.4.19, allows context-dependent attackers to cause a denial of service (infinite loop) via a crafted regular expression.

= 8.19 HIGH

The Database Link library (dblink) in PostgreSQL 8.1 implements functions via CREATE statements that map to arbitrary libraries based on the C programming language, which allows remote authenticated superusers to map and execute a function from any library, as demonstrated by using the system function in libc.so.6 to gain shell access.

= 8.110 HIGH

PostgreSQL 8.1 and probably later versions, when the PL/pgSQL (plpgsql) language has been created, grants certain plpgsql privileges to the PUBLIC domain, which allows remote attackers to create and execute functions, as demonstrated by functions that perform local brute-force password guessing attacks, which may evade intrusion detection.

= 8.1, >= 7.4, < 7.4.19, >= 8.0, < 8.0.15, >= 8.1, < 8.1.11, >= 8.2, < 8.2.6, >= 7.3, < 7.3.216.9 MEDIUM

PostgreSQL 8.1 and probably later versions, when local trust authentication is enabled and the Database Link library (dblink) is installed, allows remote attackers to access arbitrary accounts and execute arbitrary SQL queries via a dblink host parameter that proxies the connection from 127.0.0.1.

< 7.3.19, >= 7.4, < 7.4.17, >= 8.0, < 8.0.13, >= 8.1, < 8.1.9, >= 8.2, < 8.2.46 MEDIUM

Untrusted search path vulnerability in PostgreSQL before 7.3.19, 7.4.x before 7.4.17, 8.0.x before 8.0.13, 8.1.x before 8.1.9, and 8.2.x before 8.2.4 allows remote authenticated users, when permitted to call a SECURITY DEFINER function, to gain the privileges of the function owner, related to "search_path settings."

= 7.4.16, = 8.1.6, = 8.0.7, = 8.0.2, = 7.2.7, = 7.3.3, = 6.2.1, = 1.01, = 6.3, = 1.09, = 6.3.1, = 6.3.2, = 7.2, = 7.3, = 8.1.3, = 7.2.6, = 8.1, = 6.1, = 6.4.1, = 7.2.3, = 7.3.10, = 7.3.9, = 7.4.15, = 6.5, = 7.4.1, = 8.0.10, = 8.0.9, = 1.02, = 7.0, = 7.0.1, = 7.3.16, = 7.3.8, = 7.4.14, = 7.4.7, = 7.4.8, = 1.0, = 6.5.2, = 7.1.3, = 7.3.15, = 7.3.6, = 7.4.11, = 7.4.5, = 7.4.6, = 8.0.3, = 6.0, = 7.0.2, = 7.0.3, = 7.3.18, = 7.4, = 7.4.9, = 8.0.6, = 6.2, = 6.4.2, = 6.5.1, = 7.1, = 7.1.1, = 7.2.5, = 7.3.11, = 7.3.13, = 7.4.3, = 7.4.4, = 8.0.8, = 8.2.1, = 7.2.1, = 7.2.8, = 7.3.17, = 7.3.7, = 7.4.13, = 8.0.4, = 8.0.5, = 8.1.2, = 8.1.4, = 6.5.3, = 7.1.2, = 7.3.14, = 7.3.5, = 7.4.12, = 8.1.1, = 6.4, = 7.2.2, = 7.3.1, = 7.3.2, = 7.4.2, = 8.0, = 8.1.5, = 6.1.1, = 7.2.4, = 7.3.12, = 7.3.4, = 7.4.10, = 8.0.1, = 8.26.6 MEDIUM

The query planner in PostgreSQL before 8.0.11, 8.1 before 8.1.7, and 8.2 before 8.2.2 does not verify that a table is compatible with a "previously made query plan," which allows remote authenticated users to cause a denial of service (server crash) and possibly access database content via an "ALTER COLUMN TYPE" SQL statement, which can be leveraged to read arbitrary memory from the server.

= 7.3, = 8.1, = 7.4, = 8.2, = 8.0, >= 7.3, < 7.3.18, >= 7.4, < 7.4.16, >= 8.0, < 8.0.11, >= 8.1, < 8.1.7, >= 8.2, < 8.2.28.5 HIGH

PostgreSQL 7.3 before 7.3.13, 7.4 before 7.4.16, 8.0 before 8.0.11, 8.1 before 8.1.7, and 8.2 before 8.2.2 allows attackers to disable certain checks for the data types of SQL function arguments, which allows remote authenticated users to cause a denial of service (server crash) and possibly access database content.

= 8.1, = 8.1.3, = 8.1.4, = 8.1.1, = 8.1.24 MEDIUM

backend/tcop/postgres.c in PostgreSQL 8.1.x before 8.1.5 allows remote authenticated users to cause a denial of service (daemon crash) related to duration logging of V3-protocol Execute messages for (1) COMMIT and (2) ROLLBACK SQL statements.

= 8.0.7, = 8.0.2, = 8.1, = 7.4.1, = 8.1.3, = 7.4.14, = 7.4.6, = 7.4.11, = 8.0.3, = 7.4.12, = 7.4.7, = 8.0.4, = 8.0.5, = 8.0.6, = 8.1.4, = 7.4.10, = 7.4.4, = 7.4.5, = 7.4.2, = 7.4.3, = 8.0, = 8.0.1, = 8.1.1, = 7.4.13, = 7.4.8, = 7.4.9, = 8.0.8, = 8.1.2, >= 8.0.0, < 8.0.9, >= 8.1.0, < 8.1.5, >= 7.4, < 7.4.144 MEDIUM

backend/parser/parse_coerce.c in PostgreSQL 7.4.1 through 7.4.14, 8.0.x before 8.0.9, and 8.1.x before 8.1.5 allows remote authenticated users to cause a denial of service (daemon crash) via a coercion of an unknown element to ANYARRAY.

= 8.0.7, = 8.0.2, = 7.2.7, = 7.3.3, = 7.2, = 7.3, = 8.1, = 6.3.2, = 7.4.1, = 7.3.11, = 7.3.6, = 7.3.8, = 7.4.3, = 7.1.3, = 7.3.10, = 7.4.9, = 7.1.1, = 7.3.15, = 7.4.11, = 7.4.6, = 7.4.7, = 7.0.3, = 7.2.3, = 7.3.9, = 7.4.5, = 8.0.3, = 8.1.3, = 6.5.3, = 7.2.1, = 7.2.2, = 7.3.12, = 7.4.2, = 8.0, = 8.0.1, = 8.0.8, = 7.1.2, = 7.3.1, = 7.3.4, = 7.4.12, = 7.4.13, = 7.4.8, = 8.0.6, = 7.1, = 7.3.2, = 7.4.10, = 8.0.4, = 8.0.5, = 8.1.4, = 7.0.2, = 7.2.4, = 7.3.13, = 7.3.14, = 7.4, = 7.4.4, = 8.1.1, = 8.1.24 MEDIUM

backend/parser/analyze.c in PostgreSQL 8.1.x before 8.1.5 allows remote authenticated users to cause a denial of service (daemon crash) via certain aggregate functions in an UPDATE statement, which are not properly handled during a "MIN/MAX index optimization."

= 8.0.7, = 8.0.2, = 7.3.3, = 7.3, = 8.1, = 7.4.1, = 7.3.9, = 7.3.10, = 8.1.3, = 7.3.2, = 7.4.6, = 7.4.7, = 7.3.13, = 7.3.8, = 7.4, = 7.4.4, = 7.4.5, = 8.0.3, = 7.3.5, = 7.4.11, = 7.4.8, = 7.4.9, = 8.0.6, = 7.3.11, = 7.3.6, = 7.4.3, = 8.0.1, = 7.4.10, = 8.0.4, = 8.0.5, = 7.3.14, = 7.3.1, = 7.3.4, = 7.4.12, = 7.3.12, = 7.3.7, = 7.4.2, = 8.0, = 8.1.1, = 8.1.27.5 HIGH

PostgreSQL 8.1.x before 8.1.4, 8.0.x before 8.0.8, 7.4.x before 7.4.13, 7.3.x before 7.3.15, and earlier versions allows context-dependent attackers to bypass SQL injection protection methods in applications via invalid encodings of multibyte characters, aka one variant of "Encoding-Based SQL Injection."

= 8.0.7, = 8.0.2, = 7.3.3, = 7.3, = 8.1, = 7.4.1, = 7.3.9, = 7.3.10, = 8.1.3, = 7.4.7, = 7.4.8, = 8.0.6, = 7.3.2, = 7.4, = 7.4.5, = 7.4.6, = 8.0.3, = 7.3.11, = 7.3.5, = 7.3.6, = 7.4.11, = 7.4.9, = 7.3.13, = 7.3.8, = 7.4.3, = 7.4.4, = 8.0.1, = 7.3.1, = 7.3.4, = 7.4.10, = 8.0.5, = 7.3.14, = 8.0.4, = 7.4.12, = 7.4.2, = 8.0, = 7.3.12, = 7.3.7, = 8.1.1, = 8.1.27.5 HIGH

PostgreSQL 8.1.x before 8.1.4, 8.0.x before 8.0.8, 7.4.x before 7.4.13, 7.3.x before 7.3.15, and earlier versions allows context-dependent attackers to bypass SQL injection protection methods in applications that use multibyte encodings that allow the "\" (backslash) byte 0x5c to be the trailing byte of a multibyte character, such as SJIS, BIG5, GBK, GB18030, and UHC, which cannot be handled correctly by a client that does not understand multibyte encodings, aka a second variant of "Encoding-Based SQL Injection." NOTE: it could be argued that this is a class of issue related to interaction errors between the client and PostgreSQL, but a CVE has been assigned since PostgreSQL is treating this as a preventative measure against this class of problem.

= 8.1.0, = 8.1.1, = 8.1.26.5 MEDIUM

PostgreSQL 8.1.0 through 8.1.2 allows authenticated database users to gain additional privileges via "knowledge of the backend protocol" using a crafted SET ROLE to other database users, a different vulnerability than CVE-2006-0678.

= 8.0.2, = 7.3.3, = 7.3, = 8.1, = 7.4.1, = 7.3.9, = 7.3.10, = 7.4.6, = 7.4.11, = 7.3.11, = 7.3.12, = 7.3.8, = 7.4.4, = 7.4.5, = 8.0.3, = 7.3.13, = 7.3.2, = 7.4, = 7.3.6, = 7.4.3, = 8.0.1, = 7.4.7, = 8.0.6, = 7.3.5, = 7.4.8, = 7.4.9, = 8.1.1, = 8.0.4, = 7.3.1, = 7.3.7, = 7.4.2, = 8.0, = 8.1.2, = 8.0.5, = 7.3.4, = 7.4.101.5 LOW

PostgreSQL 7.3.x before 7.3.14, 7.4.x before 7.4.12, 8.0.x before 8.0.7, and 8.1.x before 8.1.3, when compiled with Asserts enabled, allows local users to cause a denial of service (server crash) via a crafted SET SESSION AUTHORIZATION command, a different vulnerability than CVE-2006-0553.

= 8.0.2, = 8.1.0, = 8.0.3, = 8.0.1, = 8.1.1, = 8.0.4, = 8.0.5, = 8.05 MEDIUM

PostgreSQL 8.0.x before 8.0.6 and 8.1.x before 8.1.2, when running on Windows, allows remote attackers to cause a denial of service (postmaster exit and no new connections) via a large number of simultaneous connection requests.

= 8.0.2, = 7.4.6, = 7.4.7, = 7.4.3, = 7.4.5, = 7.4, = 8.0.1, = 8.02.1 LOW

The tsearch2 module in PostgreSQL 7.4 through 8.0.x declares the (1) dex_init, (2) snb_en_init, (3) snb_ru_init, (4) spell_init, and (5) syn_init functions as "internal" even when they do not take an internal argument, which allows attackers to cause a denial of service (application crash) and possibly have other impacts via SQL commands that call other functions that accept internal arguments.

= 8.0.2, = 7.2.7, = 7.3.3, = 7.3, = 7.4.1, = 7.3.9, = 7.2.3, = 7.2.6, = 7.4.6, = 7.2.1, = 7.2.2, = 7.3.1, = 7.3.2, = 7.4, = 8.0, = 8.0.1, = 7.2.4, = 7.4.2, = 7.3.7, = 7.3.8, = 7.4.7, = 7.2.5, = 7.3.5, = 7.3.6, = 7.4.3, = 7.4.4, = 7.4.5, = 7.3.47.5 HIGH

PostgreSQL 7.3.x through 8.0.x gives public EXECUTE access to certain character conversion functions, which allows unprivileged users to call those functions with malicious values, with unknown impact, aka the "Character conversion vulnerability."

= 7.2.7, = 7.3.3, = 7.2, = 7.3, = 7.4.1, = 7.3.9, = 7.2.3, = 8.0.0, = 7.2.6, = 7.3.7, = 7.3.8, = 7.4.5, = 7.4.6, = 7.2.4, = 7.2.5, = 7.3.5, = 7.2.1, = 7.3.1, = 7.4, = 7.4.7, = 7.2.2, = 7.3.2, = 7.4.2, = 8.0.1, = 7.3.6, = 7.4.3, = 7.4.4, = 7.3.46.5 MEDIUM

Multiple buffer overflows in gram.y for PostgreSQL 8.0.1 and earlier may allow attackers to execute arbitrary code via (1) a large number of variables in a SQL statement being handled by the read_sql_construct function, (2) a large number of INTO variables in a SELECT statement being handled by the make_select_stmt function, (3) a large number of arbitrary variables in a SELECT statement being handled by the make_select_stmt function, and (4) a large number of INTO variables in a FETCH statement being handled by the make_fetch_stmt function, a different set of vulnerabilities than CVE-2005-0245.

= 7.2.7, = 7.3.3, = 7.2, = 7.3, = 7.4.1, = 7.3.9, = 7.2.3, = 8.0.0, = 7.2.6, = 7.3.1, = 7.3.8, = 7.4.6, = 7.4.7, = 7.2.5, = 7.3.6, = 7.3.7, = 7.4.4, = 7.4.5, = 7.2.1, = 7.2.2, = 7.3.2, = 7.4, = 7.2.4, = 7.3.4, = 7.3.5, = 7.4.2, = 7.4.3, >= 8.0.0, < 8.0.1, >= 7.3.0, < 7.3.9, >= 7.4.0, < 7.4.75 MEDIUM

The intagg contrib module for PostgreSQL 8.0.0 and earlier allows attackers to cause a denial of service (crash) via crafted arrays.

= 7.2.7, = 7.3.3, = 7.2, = 7.3, = 7.4.1, = 7.3.9, = 7.2.3, = 8.0.0, = 7.2.6, = 7.2.5, = 7.3.5, = 7.3.6, = 7.4.4, = 7.4.5, = 7.2.4, = 7.3.4, = 7.4.2, = 7.4.3, = 7.3.7, = 7.3.8, = 7.4.6, = 7.4.7, = 7.2.1, = 7.2.2, = 7.3.1, = 7.3.2, = 7.46.5 MEDIUM

PostgreSQL 8.0.0 and earlier allows local users to bypass the EXECUTE permission check for functions by using the CREATE AGGREGATE command.

= 7.2.7, = 7.4.1, = 7.2.3, = 7.2.6, = 7.4.6, = 7.4.7, = 7.4.3, = 7.2.5, = 7.4.5, = 7.2.4, = 7.2.2, = 7.4.4, = 7.2.1, = 7.4.2, >= 7.4, < 7.4.7, >= 7.3.0, < 7.3.9, >= 8.0, < 8.0.14.3 MEDIUM

PostgreSQL (pgsql) 7.4.x, 7.2.x, and other versions allows local users to load arbitrary shared libraries and execute code via the LOAD extension.

= 7.4.3, = 7.4.5, = 7.2.1, >= 7.3.0, < 7.3.8, >= 7.4.0, < 7.4.62.1 LOW

The make_oidjoins_check script in PostgreSQL 7.4.5 and earlier allows local users to overwrite files via a symlink attack on temporary files.

= 7.2.7, = 7.3.3, = 7.2, = 7.3, = 7.4.1, = 7.3.9, = 7.2.3, = 7.2.6, = 7.4.6, = 7.2.2, = 7.3.2, = 7.4.2, = 7.2.1, = 7.3.1, = 7.4, = 8.0, = 7.2.4, = 7.2.5, = 7.3.4, = 7.3.5, = 7.3.6, = 7.4.3, = 7.4.4, = 7.3.7, = 7.3.8, = 7.4.5, >= 7.3, < 7.3.10, >= 7.4, < 7.4.77.5 HIGH

Buffer overflow in gram.y for PostgreSQL 8.0.0 and earlier may allow attackers to execute arbitrary code via a large number of arguments to a refcursor function (gram.y), which leads to a heap-based buffer overflow, a different vulnerability than CVE-2005-0247.

= 7.2.15 MEDIUM

Buffer overflow in the ODBC driver for PostgreSQL before 7.2.1 allows remote attackers to cause a denial of service (crash).

= 7.3.3, = 7.2, = 7.3, = 7.2.3, = 7.2.2, = 7.3.2, = 7.2.4, = 7.3.1, = 7.2.17.5 HIGH

Buffer overflow in to_ascii for PostgreSQL 7.2.x, and 7.3.x before 7.3.4, allows remote attackers to execute arbitrary code.

= 6.3.2, = 7.1.1, = 7.1.3, = 7.0.3, = 7.1, = 6.5.3, = 7.2.1, = 7.1.24.6 MEDIUM

Buffer overflows in the (1) TZ and (2) SET TIME ZONE enivronment variables for PostgreSQL 7.2.1 and earlier allow local users to cause a denial of service and possibly execute arbitrary code.

= 7.2, = 6.3.2, = 7.2.3, = 7.1.1, = 7.1.3, = 7.0.3, = 7.1, = 7.2.2, = 6.5.3, = 7.2.1, = 7.1.26.5 MEDIUM

Buffer overflows in (1) circle_poly, (2) path_encode and (3) path_add (also incorrectly identified as path_addr) for PostgreSQL 7.2.3 and earlier allow attackers to cause a denial of service and possibly execute arbitrary code, possibly as a result of an integer overflow.

= 7.2, = 6.3.2, = 7.1.1, = 7.1.3, = 7.0.3, = 7.1, = 6.5.3, = 7.2.1, = 7.1.27.5 HIGH

Heap-based buffer overflow in the repeat() function for PostgreSQL before 7.2.2 allows attackers to execute arbitrary code by causing repeat() to generate a large string.

= 7.2, = 6.3.2, = 7.1.1, = 7.1.3, = 7.0.3, = 7.1, = 6.5.3, = 7.2.1, = 7.1.210 HIGH

Unknown vulnerability in cash_out and possibly other functions in PostgreSQL 7.2.1 and earlier, and possibly later versions before 7.2.3, with unknown impact, based on an invalid integer input which is processed as a different data type, as demonstrated using cash_out(2).

= 7.2, = 6.3.2, = 7.1.1, = 7.1.3, = 7.0.3, = 7.1, = 6.5.3, = 7.2.1, = 7.1.24.6 MEDIUM

Buffer overflow in the date parser for PostgreSQL before 7.2.2 allows attackers to cause a denial of service and possibly execute arbitrary code via a long date string, aka a vulnerability "in handling long datetime input."

= 7.2, = 6.3.2, = 7.1.1, = 7.1.3, = 7.0.3, = 7.1, = 6.5.3, = 7.1.27.5 HIGH

Vulnerability in the cash_words() function for PostgreSQL 7.2 and earlier allows local users to cause a denial of service and possibly execute arbitrary code via a large negative argument, possibly triggering an integer signedness error or buffer overflow.

= 7.3.197.5 HIGH5 MEDIUM

PostgreSQL uses the username for a salt when generating passwords, which makes it easier for remote attackers to guess passwords via a brute force attack.

= 7.2, = 7.2.2, = 7.2.17.2 HIGH

PostgreSQL 7.2.1 and 7.2.2 allows local users to delete transaction log (pg_clog) data and cause a denial of service (data loss) via the VACUUM command.

= 7.2, = 6.3.2, = 7.1.1, = 7.1, = 6.5.3, = 7.2.1, = 7.1.24.6 MEDIUM

Buffer overflows in PostgreSQL 7.2 allow attackers to cause a denial of service and possibly execute arbitrary code via long arguments to the functions (1) lpad or (2) rpad.

= 6.5.07.5 HIGH

The multibyte support in PostgreSQL 6.5.x with SQL_ASCII encoding consumes an extra character when processing a character that cannot be converted, which could remove an escape character from the query and make the application subject to SQL injection attacks.

= 6.3.2, = 6.5.34.6 MEDIUM

PostgreSQL stores usernames and passwords in plaintext in (1) pg_shadow and (2) pg_pwd, which allows attackers with sufficient privileges to gain access to databases.

= 6.3.2, = 6.5.3.1, = 6.5.32.1 LOW

Insecure directory permissions in RPM distribution for PostgreSQL allows local users to gain privileges by reading a plaintext password file.