CVE-2010-1169

CVE Details

Release Date:

2010-05-19

Description

PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, 8.4 before 8.4.4, and 9.0 Beta before 9.0 Beta 2 does not properly restrict PL/perl procedures, which allows remote authenticated users, with database-creation privileges, to execute arbitrary Perl code via a crafted script, related to the Safe module (aka Safe.pm) for Perl. NOTE: some sources report that this issue is the same as CVE-2010-1447. The PL/perl and PL/Tcl implementations in PostgreSQL 7.4 before 7.4.30, 8.0 before 8.0.26, 8.1 before 8.1.22, 8.2 before 8.2.18, 8.3 before 8.3.12, 8.4 before 8.4.5, and 9.0 before 9.0.1 do not properly protect script execution by a different SQL user identity within the same session, which allows remote authenticated users to gain privileges via crafted script code in a SECURITY DEFINER function, as demonstrated by (1) redefining standard functions or (2) redefining operators, a different vulnerability than CVE-2010-1168, CVE-2010-1169, CVE-2010-1170, and CVE-2010-1447.

See more information about CVE-2010-1169 from MITRE CVE dictionary and NIST NVD

CVSS v2.0 metrics

NOTE: The following CVSS v2.0 metrics and score provided are preliminary and subject to review.

Base Score:	8.5	Base Metrics:	AV:N/AC:M/Au:S/C:C/I:C/A:C
Access Vector:	Network	Attack Complexity:	Medium
Authentication:	Requires single instance	Confidentiality Impact:	Complete
Integrity Impact:	Complete	Availability Impact:	Complete

Errata information

Platform	Errata	Release Date
Oracle Enterprise Linux version 4 (postgresql)	ELSA-2010-0428	2010-05-19
Oracle Linux version 5 (postgresql)	ELSA-2010-0429	2010-05-19
Oracle Linux version 5 (postgresql84)	ELSA-2010-0430	2010-05-19

This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team