CVE-2012-0866

CREATE TRIGGER in PostgreSQL 8.3.x before 8.3.18, 8.4.x before 8.4.11, 9.0.x before 9.0.7, and 9.1.x before 9.1.3 does not properly check the execute permission for trigger functions marked SECURITY DEFINER, which allows remote authenticated users to execute otherwise restricted triggers on arbitrary data by installing the trigger on an attacker-owned table.
References
Link Resource
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
http://lists.opensuse.org/opensuse-updates/2012-09/msg00060.html
http://rhn.redhat.com/errata/RHSA-2012-0677.html
http://rhn.redhat.com/errata/RHSA-2012-0678.html
http://secunia.com/advisories/49272
http://secunia.com/advisories/49273
http://www.debian.org/security/2012/dsa-2418
http://www.mandriva.com/security/advisories?name=MDVSA-2012:026
http://www.mandriva.com/security/advisories?name=MDVSA-2012:027
http://www.mandriva.com/security/advisories?name=MDVSA-2012:092
http://www.postgresql.org/about/news/1377/ Vendor Advisory
http://www.postgresql.org/docs/8.3/static/release-8-3-18.html
http://www.postgresql.org/docs/8.4/static/release-8-4-11.html
http://www.postgresql.org/docs/9.0/static/release-9-0-7.html
http://www.postgresql.org/docs/9.1/static/release-9-1-3.html
http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705
http://lists.opensuse.org/opensuse-updates/2012-09/msg00060.html
http://rhn.redhat.com/errata/RHSA-2012-0677.html
http://rhn.redhat.com/errata/RHSA-2012-0678.html
http://secunia.com/advisories/49272
http://secunia.com/advisories/49273
http://www.debian.org/security/2012/dsa-2418
http://www.mandriva.com/security/advisories?name=MDVSA-2012:026
http://www.mandriva.com/security/advisories?name=MDVSA-2012:027
http://www.mandriva.com/security/advisories?name=MDVSA-2012:092
http://www.postgresql.org/about/news/1377/ Vendor Advisory
http://www.postgresql.org/docs/8.3/static/release-8-3-18.html
http://www.postgresql.org/docs/8.4/static/release-8-4-11.html
http://www.postgresql.org/docs/9.0/static/release-9-0-7.html
http://www.postgresql.org/docs/9.1/static/release-9-1-3.html
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:postgresql:postgresql:8.3:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:8.3.1:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:8.3.2:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:8.3.3:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:8.3.4:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:8.3.5:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:8.3.6:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:8.3.7:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:8.3.8:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:8.3.9:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:8.3.10:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:8.3.11:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:8.3.12:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:8.3.13:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:8.3.14:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:8.3.15:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:8.3.16:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:8.3.17:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:postgresql:postgresql:8.4:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:8.4.1:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:8.4.2:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:8.4.3:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:8.4.4:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:8.4.5:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:8.4.6:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:8.4.7:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:8.4.8:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:8.4.9:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:8.4.10:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:a:postgresql:postgresql:9.0:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:9.0.1:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:9.0.2:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:9.0.3:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:9.0.4:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:9.0.5:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:9.0.6:*:*:*:*:*:*:*

Configuration 4 (hide)

OR cpe:2.3:a:postgresql:postgresql:9.1:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:9.1.1:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:9.1.2:*:*:*:*:*:*:*

History

21 Nov 2024, 01:35

Type Values Removed Values Added
References () http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705 - () http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10705 -
References () http://lists.opensuse.org/opensuse-updates/2012-09/msg00060.html - () http://lists.opensuse.org/opensuse-updates/2012-09/msg00060.html -
References () http://rhn.redhat.com/errata/RHSA-2012-0677.html - () http://rhn.redhat.com/errata/RHSA-2012-0677.html -
References () http://rhn.redhat.com/errata/RHSA-2012-0678.html - () http://rhn.redhat.com/errata/RHSA-2012-0678.html -
References () http://secunia.com/advisories/49272 - () http://secunia.com/advisories/49272 -
References () http://secunia.com/advisories/49273 - () http://secunia.com/advisories/49273 -
References () http://www.debian.org/security/2012/dsa-2418 - () http://www.debian.org/security/2012/dsa-2418 -
References () http://www.mandriva.com/security/advisories?name=MDVSA-2012:026 - () http://www.mandriva.com/security/advisories?name=MDVSA-2012:026 -
References () http://www.mandriva.com/security/advisories?name=MDVSA-2012:027 - () http://www.mandriva.com/security/advisories?name=MDVSA-2012:027 -
References () http://www.mandriva.com/security/advisories?name=MDVSA-2012:092 - () http://www.mandriva.com/security/advisories?name=MDVSA-2012:092 -
References () http://www.postgresql.org/about/news/1377/ - Vendor Advisory () http://www.postgresql.org/about/news/1377/ - Vendor Advisory
References () http://www.postgresql.org/docs/8.3/static/release-8-3-18.html - () http://www.postgresql.org/docs/8.3/static/release-8-3-18.html -
References () http://www.postgresql.org/docs/8.4/static/release-8-4-11.html - () http://www.postgresql.org/docs/8.4/static/release-8-4-11.html -
References () http://www.postgresql.org/docs/9.0/static/release-9-0-7.html - () http://www.postgresql.org/docs/9.0/static/release-9-0-7.html -
References () http://www.postgresql.org/docs/9.1/static/release-9-1-3.html - () http://www.postgresql.org/docs/9.1/static/release-9-1-3.html -

Information

Published : 2012-07-18 23:55

Updated : 2024-11-21 01:35


NVD link : CVE-2012-0866

Mitre link : CVE-2012-0866

CVE.ORG link : CVE-2012-0866


JSON object : View

Products Affected

postgresql

  • postgresql
CWE
CWE-264

Permissions, Privileges, and Access Controls