Input validation error in PostgreSQL

Published: 2013-04-04 | Updated: 2020-07-28

Risk	Low
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2013-1899
CWE-ID	CWE-20
Exploitation vector	Network
Public exploit	Public exploit code for vulnerability #1 is available.
Vulnerable software	PostgreSQL Server applications / Database software
Vendor	PostgreSQL Global Development Group

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Input validation error

EUVDB-ID: #VU32710

Risk: Low

CVSSv4.0: 5.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:A/U:Clear]

CVE-ID: CVE-2013-1899

CWE-ID: CWE-20 - Improper input validation

Exploit availability: Yes

Description

The vulnerability allows remote attackers to cause a denial of service (file corruption), and allows remote authenticated users to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can modify configuration settings and execute arbitrary code, via a connection request using a database name that begins with a "-" (hyphen).

Mitigation

Update to version 9.2.4.

Vulnerable software versions

PostgreSQL: 9.2.0 - 9.2.3

CPE2.3

cpe:2.3:a:postgresql_global_development_group:postgresql:9.2.3:*:*:*:*:*:*:*

External links

https://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html
https://lists.apple.com/archives/security-announce/2013/Sep/msg00004.html
https://lists.fedoraproject.org/pipermail/package-announce/2013-April/101519.html
https://lists.fedoraproject.org/pipermail/package-announce/2013-April/102806.html
https://lists.opensuse.org/opensuse-security-announce/2013-04/msg00007.html
https://lists.opensuse.org/opensuse-security-announce/2013-04/msg00008.html
https://lists.opensuse.org/opensuse-security-announce/2013-04/msg00011.html
https://lists.opensuse.org/opensuse-security-announce/2013-04/msg00012.html
https://support.apple.com/kb/HT5880
https://support.apple.com/kb/HT5892
https://www.debian.org/security/2013/dsa-2658
https://www.mandriva.com/security/advisories?name=MDVSA-2013:142
https://www.postgresql.org/about/news/1456/
https://www.postgresql.org/docs/current/static/release-9-0-13.html
https://www.postgresql.org/docs/current/static/release-9-1-9.html
https://www.postgresql.org/docs/current/static/release-9-2-4.html
https://www.postgresql.org/support/security/faq/2013-04-04/
https://www.ubuntu.com/usn/USN-1789-1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.