Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Postgresql
(Postgresql)| Repositories | https://github.com/postgres/postgres |
| #Vulnerabilities | 161 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2012-10-06 | CVE-2012-1618 | Interaction error in the PostgreSQL JDBC driver before 8.2, when used with a PostgreSQL server with the "standard_conforming_strings" option enabled, such as the default configuration of PostgreSQL 9.1, does not properly escape unspecified JDBC statement parameters, which allows remote attackers to perform SQL injection attacks. NOTE: as of 20120330, it was claimed that the upstream developer planned to dispute this issue, but an official dispute has not been posted as of 20121005. | Postgresql, Postgresql_jdbc_driver | N/A | ||
| 2014-03-31 | CVE-2014-0064 | Multiple integer overflows in the path_in and other unspecified functions in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to have unspecified impact and attack vectors, which trigger a buffer overflow. NOTE: this identifier has been SPLIT due to different affected versions; use CVE-2014-2669 for the hstore vector. | Postgresql | N/A | ||
| 2015-10-26 | CVE-2015-5289 | Multiple stack-based buffer overflows in json parsing in PostgreSQL before 9.3.x before 9.3.10 and 9.4.x before 9.4.5 allow attackers to cause a denial of service (server crash) via unspecified vectors, which are not properly handled in (1) json or (2) jsonb values. | Ubuntu_linux, Debian_linux, Postgresql | N/A | ||
| 2016-04-11 | CVE-2016-2193 | PostgreSQL before 9.5.x before 9.5.2 does not properly maintain row-security status in cached plans, which might allow attackers to bypass intended access restrictions by leveraging a session that performs queries as more than one role. | Postgresql | 7.5 | ||
| 2016-04-11 | CVE-2016-3065 | The (1) brin_page_type and (2) brin_metapage_info functions in the pageinspect extension in PostgreSQL before 9.5.x before 9.5.2 allows attackers to bypass intended access restrictions and consequently obtain sensitive server memory information or cause a denial of service (server crash) via a crafted bytea value in a BRIN index page. | Postgresql | 9.1 | ||
| 2018-03-01 | CVE-2017-14798 | A race condition in the postgresql init script could be used by attackers able to access the postgresql account to escalate their privileges to root. | Postgresql, Suse_linux_enterprise_server | 7.0 | ||
| 2018-05-10 | CVE-2018-1115 | postgresql before versions 10.4, 9.6.9 is vulnerable in the adminpack extension, the pg_catalog.pg_logfile_rotate() function doesn't follow the same ACLs than pg_rorate_logfile. If the adminpack is added to a database, an attacker able to connect to it could exploit this to force log rotation. | Leap, Postgresql | 9.1 | ||
| 2019-06-26 | CVE-2019-10164 | PostgreSQL versions 10.x before 10.9 and versions 11.x before 11.4 are vulnerable to a stack-based buffer overflow. Any authenticated user can overflow a stack-based buffer by changing the user's own password to a purpose-crafted value. This often suffices to execute arbitrary code as the PostgreSQL operating system account. | Fedora, Leap, Postgresql, Enterprise_linux | 8.8 | ||
| 2005-05-02 | CVE-2005-0227 | PostgreSQL (pgsql) 7.4.x, 7.2.x, and other versions allows local users to load arbitrary shared libraries and execute code via the LOAD extension. | Postgresql | N/A | ||
| 2006-10-26 | CVE-2006-5541 | backend/parser/parse_coerce.c in PostgreSQL 7.4.1 through 7.4.14, 8.0.x before 8.0.9, and 8.1.x before 8.1.5 allows remote authenticated users to cause a denial of service (daemon crash) via a coercion of an unknown element to ANYARRAY. | Postgresql | N/A |