PostgreSQL 7.4 < 7.4.30 / 8.0 < 8.0.26 / 8.1 < 8.1.22 / 8.2 < 8.2.18 / 8.3 < 8.3.12 / 8.4 < 8.4.5 / 9.0 < 9.0.1

2012-12-2800:00:00

www.tenable.com

The version of PostgreSQL installed on the remote host is 7.4 prior to 7.4.30, 8.0 prior to 8.0.26, 8.1 prior to 8.1.22, 8.2 prior to 8.2.18, 8.3 prior to 8.3.12, 8.4 prior to 8.4.5, or 9.0 prior to 9.0.1. It therefore is potentially affected by a privilege escalation vulnerability.

A remote, authenticated attacker could elevate privileges via specially crafted code in a SECURITY DEFINER function.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(63350);
  script_version("1.14");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/04/04");

  script_cve_id("CVE-2010-3433");
  script_bugtraq_id(43747);

  script_name(english:"PostgreSQL 7.4 < 7.4.30 / 8.0 < 8.0.26 / 8.1 < 8.1.22 / 8.2 < 8.2.18 / 8.3 < 8.3.12 / 8.4 < 8.4.5 / 9.0 < 9.0.1");

  script_set_attribute(attribute:"synopsis", value:
"The remote database server is affected by a privilege escalation
vulnerability.");
  script_set_attribute(attribute:"description", value:
"The version of PostgreSQL installed on the remote host is 7.4 prior to
7.4.30, 8.0 prior to 8.0.26, 8.1 prior to 8.1.22, 8.2 prior to 8.2.18,
8.3 prior to 8.3.12, 8.4 prior to 8.4.5, or 9.0 prior to 9.0.1.  It
therefore is potentially affected by a privilege escalation
vulnerability. 

A remote, authenticated attacker could elevate privileges via 
specially crafted code in a SECURITY DEFINER function.");
  script_set_attribute(attribute:"see_also", value:"https://www.postgresql.org/about/news/1244/");
  script_set_attribute(attribute:"see_also", value:"https://www.postgresql.org/docs/7.4/release.html#RELEASE-7-4-30");
  script_set_attribute(attribute:"see_also", value:"https://www.postgresql.org/docs/8.0/release.html#RELEASE-8-0-26");
  script_set_attribute(attribute:"see_also", value:"https://www.postgresql.org/docs/8.1/release-8-1-22.html");
  script_set_attribute(attribute:"see_also", value:"https://www.postgresql.org/docs/8.2/release-8-2-18.html");
  script_set_attribute(attribute:"see_also", value:"https://www.postgresql.org/docs/8.3/release-8-3-12.html");
  script_set_attribute(attribute:"see_also", value:"http://www.postgresql.org/docs/8.4/static/release-8-4-5.html");
  script_set_attribute(attribute:"see_also", value:"https://www.postgresql.org/docs/9.0/release.html#RELEASE-9-0-1");
  script_set_attribute(attribute:"solution", value:
"Upgrade to PostgreSQL 7.4.30 / 8.0.26 / 8.1.22 / 8.2.18 / 8.3.12 /
8.4.5 / 9.0.1 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2010-3433");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2010/10/01");
  script_set_attribute(attribute:"patch_publication_date", value:"2010/10/04");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/12/28");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:postgresql:postgresql");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Databases");

  script_copyright(english:"This script is Copyright (C) 2012-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("postgresql_version.nbin");
  script_require_ports("Services/postgresql", 5432);

  exit(0);
}

include("audit.inc");
include("backport.inc");
include("global_settings.inc");
include("misc_func.inc");

port = get_service(svc:"postgresql", default:5432, exit_on_fail:TRUE);

version = get_kb_item_or_exit('database/'+port+'/postgresql/version');
source = get_kb_item_or_exit('database/'+port+'/postgresql/source');
database = get_kb_item('database/'+port+'/postgresql/database_name');

get_backport_banner(banner:source);
if (backported && report_paranoia < 2) audit(AUDIT_BACKPORT_SERVICE, port, 'PostgreSQL server');

ver = split(version, sep:'.');
for (i=0; i < max_index(ver); i++)
  ver[i] = int(ver[i]);

if (
  (ver[0] == 7 && ver[1] == 4 && ver[2] < 30) ||
  (ver[0] == 8 && ver[1] == 0 && ver[2] < 26) ||
  (ver[0] == 8 && ver[1] == 1 && ver[2] < 22) ||
  (ver[0] == 8 && ver[1] == 2 && ver[2] < 18) ||
  (ver[0] == 8 && ver[1] == 3 && ver[2] < 12) ||
  (ver[0] == 8 && ver[1] == 4 && ver[2] < 5) || 
  (ver[0] == 9 && ver[1] == 0 && ver[2] < 1)
)
{
  if (report_verbosity > 0)
  {
    report = '';
    if(database)
      report += '\n  Database name     : ' + database;
    report +=
      '\n  Version source    : ' + source +
      '\n  Installed version : ' + version +
      '\n  Fixed version     : 7.4.30 / 8.0.26 / 8.1.22 / 8.2.18 / 8.3.12 / 8.4.5 / 9.0.1\n';
    security_warning(port:port, extra:report);
  }
  else security_warning(port);
  exit(0);
}
else audit(AUDIT_LISTEN_NOT_VULN, 'PostgreSQL', port, version);

VendorProductVersionCPE
postgresqlpostgresqlcpe:/a:postgresql:postgresql

Vendor	Product	Version	CPE
postgresql	postgresql		cpe:/a:postgresql:postgresql

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3433

www.postgresql.org/docs/8.4/static/release-8-4-5.html

www.postgresql.org/about/news/1244/

www.postgresql.org/docs/7.4/release.html#RELEASE-7-4-30

www.postgresql.org/docs/8.0/release.html#RELEASE-8-0-26

www.postgresql.org/docs/8.1/release-8-1-22.html

www.postgresql.org/docs/8.2/release-8-2-18.html

www.postgresql.org/docs/8.3/release-8-3-12.html

www.postgresql.org/docs/9.0/release.html#RELEASE-9-0-1

JSON

PostgreSQL 7.4 < 7.4.30 / 8.0 < 8.0.26 / 8.1 < 8.1.22 / 8.2 < 8.2.18 / 8.3 < 8.3.12 / 8.4 < 8.4.5 / 9.0 < 9.0.1

References

Related