Ubuntu 8.04 LTS / 10.04 LTS / 11.04 / 11.10 / 12.04 LTS : postgresql-8.3, postgresql-8.4, postgresql-9.1 vulnerabilities (USN-1542-1)

Peter Eisentraut discovered that the XSLT functionality in the optional XML2 extension would allow unprivileged database users to both read and write data with the privileges of the database server. CVE-2012-3488 Noah Misch and Tom Lane discovered that the XML functionality in the optional XML2...

Do You Know What Your Database Users Are Doing?

In our last column, we focused on privilege escalation attacks, and the impact that this category of SQL injection attacks can have on the database – particularly where specific database vulnerabilities exist, and can be exploited through the manipulation of privileges. Let’s look more deeply at...

Oracle APEX 3.2 - Unprivileged DB users can see APEX Password hashes

Unprivileged DB users can see APEX password hashes in FLOWS030000.WWVFLOWUSER CVE-2009-0981 Name Unprivileged DB users can see APEX password hashes in FLOWS030000.WWVFLOWUSER CVE-2009-0981 Systems Affected APEX 3.0 optional component of 11.1.0.7 installation Severity High Risk Category Password...

Security feature bypass

PostgreSQL 8.1.0 through 8.1.2 allows authenticated database users to gain additional privileges via "knowledge of the backend protocol" using a crafted SET ROLE to other database users, a different vulnerability than CVE-2006-0678...

Oracle XSQL Sample Application Vulnerability

One of the sample applications that comes with the Oracle XSQL Servlet allows an attacker to make arbitrary queries to the Oracle database under an unprivileged account. Whilst not allowing an attacker to delete or modify database contents, this flaw can be used to enumerate database users and vi...