SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Database)  >   PostgreSQL Vendors:   postgresql.org
PostgreSQL SET ROLE Validation Error Lets Remote Authenticated Users Obtain Elevated Privileges
SecurityTracker Alert ID:  1015636
SecurityTracker URL:  http://securitytracker.com/id/1015636
CVE Reference:   CVE-2006-0553   (Links to External Site)
Date:  Feb 15 2006
Impact:   Denial of service via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 8.1.0 - 8.1.2
Description:   A vulnerability was reported in PostgreSQL. A remote authenticated user can gain elevated privileges.

The software does not properly validate the SET ROLE command. A remote authenticated user can gain set their ROLE privileges to that of any other database user id (such as the superuser id).

If the server has been compiled with Asserts enabled (not the default setting), a user can invoke the SET SESSION AUTHORIZATION command to cause the server to crash. Version 7.3 and later versions are affected. Akio Ishida reported this vulnerability.
Impact:   A remote authenticated user can gain elevated privileges.

A user can cause the server to crash.
Solution:   The vendor has issued a fixed version (8.1.3), available at:

http://www.postgresql.org/download
Vendor URL:  archives.postgresql.org/pgsql-announce/2006-02/msg00008.php (Links to External Site)
Cause:   Access control error, Exception handling error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents


[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC