GHSA-4X5R-6V26-7J4V Creation of new database tables through login form on PostgreSQL

Impact It's possible to make XWiki create many new schemas and fill them with tables just by using a crafted user identifier in the login form. Patches The problem has been patched in XWiki 13.10.8, 14.6RC1 and 14.4.2. Workarounds The only workarounds for this are: use an authenticator which does...

PostgreSQL: Multiple Vulnerabilities

Background PostgreSQL is an open source object-relational database management system. Description Multiple vulnerabilities have been discovered in PostgreSQL. Please review the CVE identifiers referenced below for details. Impact Please review the referenced CVE identifiers for details. Workaroun...

OESA-2022-2104 libpq security update

PostgreSQL is a powerful, open source object-relational database system that uses and extends the SQL language combined with many features that safely store and scale the most complicated data workloads. This package provides the essential shared library for any PostgreSQL client program or...

Rocky Linux 8 : postgresql:12 (RLSA-2022:7128)

The remote Rocky Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RLSA-2022:7128 advisory. - A vulnerability was found in PostgreSQL. This attack requires permission to create non-temporary objects in at least one schema, the ability to lure or wait fo...

Debian: Security Advisory (DLA-3189)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

AlmaLinux 9 : postgresql (ALSA-2022:4771)

The remote AlmaLinux 9 host has packages installed that are affected by a vulnerability as referenced in the ALSA-2022:4771 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. %NASLMINLEVEL 80900 C Tenable, Inc. T...

Debian DLA-3189-1 : postgresql-11 - LTS security update

The remote Debian 10 host has packages installed that are affected by a vulnerability as referenced in the dla-3189 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. %NASLMINLEVEL 80900 C Tenable, Inc. The...

DLA-3189-1 postgresql-11 - bugfix update

Bulletin has no description...

Security Bulletin: IBM Security Guardium is affected by a postgresql-42.0.0.jar vulnerability

Summary IBM Security Guardium has fixed this vulnerability Vulnerability Details CVEID:CVE-2020-13692 DESCRIPTION: PostgreSQL JDBC Driver could allow a remote authenticated attacker to obtain sensitive information, caused by an XML external entity XXE error when processing XML data. By sending...

Security Bulletin: IBM Security Guardium is affected by multiple vulnerabilities

Summary IBM Security Guardium has fixed these vulnerabilities. Vulnerability Details CVEID:CVE-2021-38153 DESCRIPTION: Apache Kafka could allow a remote attacker to obtain sensitive information, caused by a timing attack flaw due to the use of "Arrays.equals" to validate a password or key. By...

Security Bulletin: IBM Security Guardium is affected by a PostgreSQL vulnerability (CVE-2022-1552)

Summary IBM Security Guardium has fixed this vulnerability. Vulnerability Details CVEID:CVE-2022-1552 DESCRIPTION: PostgreSQL remote authenticated attacker to bypass security restrictions, caused by an issue with not activate protection or too late with the Autovacuum, REINDEX, CREATE INDEX,...

php: Uninitialized array in pg_query_params() leading to RCE

A vulnerability was found in PHP due to an uninitialized array in pgqueryparams function. When using the Postgres database extension, supplying invalid parameters to the parameterized query may lead to PHP attempting to free memory, using uninitialized data as pointers. This flaw allows a remote...

postgresql-jdbc bug fix and enhancement update

An update is available for postgresql-jdbc. This update affects Rocky Linux 8. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list For detailed information on changes in this release, see the Rocky...

Amazon Linux 2022 : postgresql14, postgresql14-contrib, postgresql14-llvmjit (ALAS2022-2022-190)

It is, therefore, affected by a vulnerability as referenced in the ALAS2022-2022-190 advisory. A flaw was found in PostgreSQL. There is an issue with incomplete efforts to operate safely when a privileged user is maintaining another user's objects. The Autovacuum, REINDEX, CREATE INDEX, REFRESH...

Authenticated SQL injection via filename & update-instance parameters

There is a SQL injection vulnerability inside saveMeta function in AttachmentAbstract.php. When a file is being uploaded via admin/index.php?action=ajax&ajax=att&ajaxaction=upload endpoint, the filename parameter isn't being sanitized and its later on interpolated into a raw SQL query inside...

Security Bulletin: IBM App Connect Enterprise Certified Container IntegrationServer operands that use the postgresql connector code may be vulnerable to SQL Injection due to [CVE-2022-35942]

Summary The postgresql Loopback connector is available in the IntegrationServer image from IBM App Connect Enterprise Certified Container. IBM App Connect Enterprise Certified Container does not use this component directly but it is available for use by an application developed to run in an...

SQL Injection via lang parameter/RCE when PostgreSQL is used

Description There is a SQL injection vulnerability in the lang parameter of phpmyfaq/ajaxservice.php?action=savefaq endpoint. Vulnerable code starts at ajaxservice.php line 369, specifically the isnull$faqId && !isnull$categories'rubrik' part: php if !isnull$author && !isnull$email &&...

Security Bulletin: Vulnerability in PostgreSQL may affect IBM Elastic Storage System

Summary PostgreSQL could allow a remote attacker to gain unauthorized access to the system which may affect IBM Elastic Storage System. Vulnerability Details CVEID:CVE-2022-1552 DESCRIPTION: PostgreSQL remote authenticated attacker to bypass security restrictions, caused by an issue with not...

FortiSOAR - PostgreSQL DB access to local users

A missing authentication for critical function CWE-306 vulnerabilty in FortiSOAR's Postgres database may allow a local attacker to access sensitive information via logging into the database using a privileged account without a password...

Huawei EulerOS: Security Advisory for postgresql (EulerOS-SA-2022-2631)

The remote host is missing an update for the Huawei EulerOS SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...