CVE-2010-1169

CVE Details

Release Date:2010-05-19

Description


PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, 8.4 before 8.4.4, and 9.0 Beta before 9.0 Beta 2 does not properly restrict PL/perl procedures, which allows remote authenticated users, with database-creation privileges, to execute arbitrary Perl code via a crafted script, related to the Safe module (aka Safe.pm) for Perl. NOTE: some sources report that this issue is the same as CVE-2010-1447. The PL/perl and PL/Tcl implementations in PostgreSQL 7.4 before 7.4.30, 8.0 before 8.0.26, 8.1 before 8.1.22, 8.2 before 8.2.18, 8.3 before 8.3.12, 8.4 before 8.4.5, and 9.0 before 9.0.1 do not properly protect script execution by a different SQL user identity within the same session, which allows remote authenticated users to gain privileges via crafted script code in a SECURITY DEFINER function, as demonstrated by (1) redefining standard functions or (2) redefining operators, a different vulnerability than CVE-2010-1168, CVE-2010-1169, CVE-2010-1170, and CVE-2010-1447.

See more information about CVE-2010-1169 from MITRE CVE dictionary and NIST NVD


CVSS v2.0 metrics


NOTE: The following CVSS v2.0 metrics and score provided are preliminary and subject to review.

Base Score: 8.5 Base Metrics: AV:N/AC:M/Au:S/C:C/I:C/A:C
Access Vector: Network Attack Complexity: Medium
Authentication: Requires single instance Confidentiality Impact: Complete
Integrity Impact: Complete Availability Impact: Complete

Errata information


PlatformErrataRelease Date
Oracle Enterprise Linux version 4 (postgresql)ELSA-2010-04282010-05-19
Oracle Linux version 5 (postgresql)ELSA-2010-04292010-05-19
Oracle Linux version 5 (postgresql84)ELSA-2010-04302010-05-19



This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team

software.hardware.complete