#VU32710 Input validation error in PostgreSQL - CVE-2013-1899

Cybersecurity Help s.r.o.

Published: 2013-04-04 | Updated: 2020-07-29

Vulnerability identifier: #VU32710

Vulnerability risk: Low

CVSSv4.0: 5.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:A/U:Clear]

CVE-ID: CVE-2013-1899

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
PostgreSQL
Server applications / Database software

Vendor: PostgreSQL Global Development Group

Description

The vulnerability allows remote attackers to cause a denial of service (file corruption), and allows remote authenticated users to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can modify configuration settings and execute arbitrary code, via a connection request using a database name that begins with a "-" (hyphen).

Mitigation
Update to version 9.2.4.

Vulnerable software versions

PostgreSQL: 9.2.0 - 9.2.3

External links
https://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html
https://lists.apple.com/archives/security-announce/2013/Sep/msg00004.html
https://lists.fedoraproject.org/pipermail/package-announce/2013-April/101519.html
https://lists.fedoraproject.org/pipermail/package-announce/2013-April/102806.html
https://lists.opensuse.org/opensuse-security-announce/2013-04/msg00007.html
https://lists.opensuse.org/opensuse-security-announce/2013-04/msg00008.html
https://lists.opensuse.org/opensuse-security-announce/2013-04/msg00011.html
https://lists.opensuse.org/opensuse-security-announce/2013-04/msg00012.html
https://support.apple.com/kb/HT5880
https://support.apple.com/kb/HT5892
https://www.debian.org/security/2013/dsa-2658
https://www.mandriva.com/security/advisories?name=MDVSA-2013:142
https://www.postgresql.org/about/news/1456/
https://www.postgresql.org/docs/current/static/release-9-0-13.html
https://www.postgresql.org/docs/current/static/release-9-1-9.html
https://www.postgresql.org/docs/current/static/release-9-2-4.html
https://www.postgresql.org/support/security/faq/2013-04-04/
https://www.ubuntu.com/usn/USN-1789-1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.

Latest bulletins with this vulnerability

Gentoo update for PostgreSQL

SUSE Linux update for PostgreSQL

Input validation error in postgresql (Alpine package)

SUSE Linux update for PostgreSQL

Input validation error in PostgreSQL

Amazon Linux AMI update for postgresql9