Code injection

2010-10-0617:00:00

PRIOn knowledge base

www.prio-n.com

7.5 High

AI Score

Confidence

Low

6 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:S/C:P/I:P/A:P

0.04 Low

EPSS

Percentile

91.8%

JSON

The PL/perl and PL/Tcl implementations in PostgreSQL 7.4 before 7.4.30, 8.0 before 8.0.26, 8.1 before 8.1.22, 8.2 before 8.2.18, 8.3 before 8.3.12, 8.4 before 8.4.5, and 9.0 before 9.0.1 do not properly protect script execution by a different SQL user identity within the same session, which allows remote authenticated users to gain privileges via crafted script code in a SECURITY DEFINER function, as demonstrated by (1) redefining standard functions or (2) redefining operators, a different vulnerability than CVE-2010-1168, CVE-2010-1169, CVE-2010-1170, and CVE-2010-1447.

CPENameOperatorVersion
postgresqleq7.4.16
postgresqleq7.4.24
postgresqleq7.4.22
postgresqleq7.4.21
postgresqleq7.4.19
postgresqleq7.4.15
postgresqleq7.4.1
postgresqleq7.4.14
postgresqleq7.4.26
postgresqleq7.4.6

Name	Operator	Version
postgresql	eq	7.4.16
postgresql	eq	7.4.24
postgresql	eq	7.4.22
postgresql	eq	7.4.21
postgresql	eq	7.4.19
postgresql	eq	7.4.15
postgresql	eq	7.4.1
postgresql	eq	7.4.14
postgresql	eq	7.4.26
postgresql	eq	7.4.6