Product:

Postgresql

(Postgresql)
Repositories https://github.com/postgres/postgres
#Vulnerabilities 155
Date Id Summary Products Score Patch Annotated
2017-11-13 CVE-2017-8806 The Debian pg_ctlcluster, pg_createcluster, and pg_upgradecluster scripts, as distributed in the Debian postgresql-common package before 181+deb9u1 for PostgreSQL (and other packages related to Debian and Ubuntu), handled symbolic links insecurely, which could result in local denial of service by overwriting arbitrary files. Postgresql 5.5
2024-02-08 CVE-2024-0985 Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. As part... Postgresql 8.0
2012-07-05 CVE-2012-2143 The crypt_des (aka DES-based crypt) function in FreeBSD before 9.0-RELEASE-p2, as used in PHP, PostgreSQL, and other products, does not process the complete cleartext password if this password contains a 0x80 character, which makes it easier for context-dependent attackers to obtain access via an authentication attempt with an initial substring of the intended password, as demonstrated by a Unicode password. Debian_linux, Freebsd, Php, Postgresql N/A
2023-08-11 CVE-2023-39417 IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or ""). If an administrator has installed files of a vulnerable, trusted, non-bundled extension, an attacker with database-level CREATE privilege can execute arbitrary code as the bootstrap superuser. Debian_linux, Postgresql, Enterprise_linux, Software_collections 8.8
2023-08-11 CVE-2023-39418 A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. If UPDATE and SELECT policies forbid some rows that INSERT policies do not forbid, a user could store such rows. Debian_linux, Postgresql, Enterprise_linux 4.3
2012-10-03 CVE-2012-3489 The xml_parse function in the libxml2 support in the core server component in PostgreSQL 8.3 before 8.3.20, 8.4 before 8.4.13, 9.0 before 9.0.9, and 9.1 before 9.1.5 allows remote authenticated users to determine the existence of arbitrary files or URLs, and possibly obtain file or URL content that triggers a parsing error, via an XML value that refers to (1) a DTD or (2) an entity, related to an XML External Entity (aka XXE) issue. Mac_os_x_server, Ubuntu_linux, Debian_linux, Opensuse, Postgresql, Enterprise_linux_desktop, Enterprise_linux_eus, Enterprise_linux_server, Enterprise_linux_workstation 6.5
2009-09-17 CVE-2009-3231 The core server component in PostgreSQL 8.3 before 8.3.8 and 8.2 before 8.2.14, when using LDAP authentication with anonymous binds, allows remote attackers to bypass authentication via an empty password. Ubuntu_linux, Fedora, Opensuse, Postgresql, Linux_enterprise, Linux_enterprise_server N/A
2002-12-31 CVE-2002-1657 PostgreSQL uses the username for a salt when generating passwords, which makes it easier for remote attackers to guess passwords via a brute force attack. Postgresql 7.5
2005-05-02 CVE-2005-0246 The intagg contrib module for PostgreSQL 8.0.0 and earlier allows attackers to cause a denial of service (crash) via crafted arrays. Postgresql N/A
2005-02-09 CVE-2004-0977 The make_oidjoins_check script in PostgreSQL 7.4.5 and earlier allows local users to overwrite files via a symlink attack on temporary files. Mandrake_linux, Mandrake_linux_corporate_server, Postgresql, Enterprise_linux, Enterprise_linux_desktop, Secure_linux N/A