SB2008010902 - Multiple vulnerabilities in PostgreSQL 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2008010902

SB2008010902 - Multiple vulnerabilities in PostgreSQL

Published: January 9, 2008 Updated: June 23, 2025

Security Bulletin ID SB2008010902
Severity
Medium
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Incorrect Regular Expression (CVE-ID: CVE-2007-6067)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.


2) Incorrect Regular Expression (CVE-ID: CVE-2007-4769)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.


3) Infinite loop (CVE-ID: CVE-2007-4772)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop. A remote attacker can consume all available system resources and cause denial of service conditions.


4) OS Command Injection (CVE-ID: CVE-2007-6601)

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in dblink. A remote attacker with ability to manipulate the connection string can pass specially crafted input to the application and execute arbitrary OS commands on the target system.

Note, the vulnerability exists due to incomplete fix for CVE-2007-3278.


5) Improper privilege management (CVE-ID: CVE-2007-6600)

The vulnerability allows a remote user to escalate privileges within the application.

The vulnerability exists due software users superuser privileges instead of table owner privileges for (1) VACUUM and (2) ANALYZE operations within index functions, and supports (3) SET ROLE and (4) SET SESSION AUTHORIZATION within index functions. A remote user can escalate privileges within the database. 


Remediation

Install update from vendor's website.

References