CVE-2012-0866

Sažetak

CREATE TRIGGER in PostgreSQL 8.3.x before 8.3.18, 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 does not properly check the execute permission for trigger functions marked SECURITY DEFINER, which allows remote authenticated users to execute otherwise restricted triggers on arbitrary data by installing the trigger on an attacker-owned table.

Reference

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
http://lists.opensuse.org/opensuse-updates/2012-09/msg00060.html
http://rhn.redhat.com/errata/RHSA-2012-0677.html
http://rhn.redhat.com/errata/RHSA-2012-0678.html
http://secunia.com/advisories/49272
http://secunia.com/advisories/49273
http://www.debian.org/security/2012/dsa-2418
http://www.mandriva.com/security/advisories?name=MDVSA-2012:026
http://www.mandriva.com/security/advisories?name=MDVSA-2012:027
http://www.mandriva.com/security/advisories?name=MDVSA-2012:092
http://www.postgresql.org/about/news/1377/
http://www.postgresql.org/docs/8.3/static/release-8-3-18.html
http://www.postgresql.org/docs/8.4/static/release-8-4-11.html
http://www.postgresql.org/docs/9.0/static/release-9-0-7.html
http://www.postgresql.org/docs/9.1/static/release-9-1-3.html

CVSS

Base:	6.5
Impact:	6.4
Exploitability:	8.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	SINGLE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	PARTIAL

CVSS vektor

AV:N/AC:L/Au:S/C:P/I:P/A:P

Zadnje važnije ažuriranje

08-12-2016 - 03:02

Objavljeno

18-07-2012 - 23:55