CVE-2007-6600

Properties

Published:
08.01.2008
Updated:
21.08.2010
Patch available:
Severity:
Medium
CVSS vector:
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
Product:
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql
postgresql: postgresql

Vulnerability description

PostgreSQL 8.2 before 8.2.6, 8.1 before 8.1.11, 8.0 before 8.0.15, 7.4 before 7.4.19, and 7.3 before 7.3.21 uses superuser privileges instead of table owner privileges for (1) VACUUM and (2) ANALYZE operations within index functions, and supports (3) SET ROLE and (4) SET SESSION AUTHORIZATION within index functions, which allows remote authenticated users to gain privileges.

References:

BID: http://www.securityfocus.com/bid/27163
CONFIRM: http://www.postgresql.org/about/news.905
VUPEN: http://www.frsirt.com/english/advisories/2008/1071/references
VUPEN: http://www.frsirt.com/english/advisories/2008/0061
FEDORA: https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00469.html
FEDORA: https://www.redhat.com/archives/fedora-package-announce/2008-January/msg00397.html
CONFIRM: https://issues.rpath.com/browse/RPL-1768
XF: http://xforce.iss.net/xforce/xfdb/39496
UBUNTU: http://www.ubuntulinux.org/support/documentation/usn/usn-568-1
BUGTRAQ: http://www.securityfocus.com/archive/1/archive/1/486407/100/0/threaded
BUGTRAQ: http://www.securityfocus.com/archive/1/archive/1/485864/100/0/threaded
REDHAT: http://www.redhat.com/support/errata/RHSA-2008-0040.html
REDHAT: http://www.redhat.com/support/errata/RHSA-2008-0039.html
REDHAT: http://www.redhat.com/support/errata/RHSA-2008-0038.html
MANDRIVA: http://www.mandriva.com/security/advisories?name=MDVSA-2008:004
VUPEN: http://www.frsirt.com/english/advisories/2008/0109
DEBIAN: http://www.debian.org/security/2008/dsa-1463
DEBIAN: http://www.debian.org/security/2008/dsa-1460
SUNALERT: http://sunsolve.sun.com/search/document.do?assetkey=1-66-200559-1
SUNALERT: http://sunsolve.sun.com/search/document.do?assetkey=1-26-103197-1
SECTRACK: http://securitytracker.com/id?1019157
GENTOO: http://security.gentoo.org/glsa/glsa-200801-15.xml
SECUNIA: http://secunia.com/advisories/29638
SECUNIA: http://secunia.com/advisories/28698
SECUNIA: http://secunia.com/advisories/28679
SECUNIA: http://secunia.com/advisories/28479
SECUNIA: http://secunia.com/advisories/28477
SECUNIA: http://secunia.com/advisories/28464
SECUNIA: http://secunia.com/advisories/28455
SECUNIA: http://secunia.com/advisories/28454
SECUNIA: http://secunia.com/advisories/28445
SECUNIA: http://secunia.com/advisories/28438
SECUNIA: http://secunia.com/advisories/28437
SECUNIA: http://secunia.com/advisories/28376
SECUNIA: http://secunia.com/advisories/28359
OVAL: http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:10493
SUSE: http://lists.opensuse.org/opensuse-security-announce/2008-02/msg00000.html
HP: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01420154