CVE-2007-3278
First published: Tue Jun 19 2007(Updated: )
PostgreSQL 8.1 and probably later versions, when local trust authentication is enabled and the Database Link library (dblink) is installed, allows remote attackers to access arbitrary accounts and execute arbitrary SQL queries via a dblink host parameter that proxies the connection from 127.0.0.1.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| PostgreSQL | >=7.4<7.4.19 | |
| PostgreSQL | >=8.0<8.0.15 | |
| PostgreSQL | >=8.1<8.1.11 | |
| PostgreSQL | >=8.2<8.2.6 | |
| PostgreSQL | >=7.3<7.3.21 | |
| Debian | =3.1 | |
| Debian | =4.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.securityfocus.com/archive/1/471644/100/0/threaded
- http://www.leidecker.info/pgshell/Having_Fun_With_PostgreSQL.txt
- http://www.portcullis.co.uk/uplds/whitepapers/Having_Fun_With_PostgreSQL.pdf
- http://www.mandriva.com/security/advisories?name=MDKSA-2007:188
- http://www.debian.org/security/2008/dsa-1460
- http://www.debian.org/security/2008/dsa-1463
- http://www.redhat.com/support/errata/RHSA-2008-0038.html
- http://www.redhat.com/support/errata/RHSA-2008-0039.html
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-103197-1
- http://secunia.com/advisories/28376
- http://secunia.com/advisories/28438
- http://secunia.com/advisories/28445
- http://secunia.com/advisories/28437
- http://secunia.com/advisories/28454
- http://secunia.com/advisories/28477
- http://secunia.com/advisories/28479
- http://security.gentoo.org/glsa/glsa-200801-15.xml
- http://secunia.com/advisories/28679
- http://www.redhat.com/support/errata/RHSA-2008-0040.html
- http://sunsolve.sun.com/search/document.do?assetkey=1-66-200559-1
- http://secunia.com/advisories/29638
- http://osvdb.org/40899
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01420154
- http://www.vupen.com/english/advisories/2008/1071/references
- http://www.vupen.com/english/advisories/2008/0109
- https://exchange.xforce.ibmcloud.com/vulnerabilities/35142
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10334
- https://usn.ubuntu.com/568-1/
- http://www.securityfocus.com/archive/1/471541/100/0/threaded
Frequently Asked Questions
What is the severity of CVE-2007-3278?
CVE-2007-3278 is classified as a medium severity vulnerability due to its potential for unauthorized SQL query execution.
How do I fix CVE-2007-3278?
To mitigate CVE-2007-3278, disable local trust authentication or restrict the usage of the dblink library.
Which versions of PostgreSQL are affected by CVE-2007-3278?
CVE-2007-3278 affects PostgreSQL versions 7.3 through 8.2, with local trust authentication enabled and dblink installed.
What type of attack is facilitated by CVE-2007-3278?
CVE-2007-3278 allows remote attackers to access arbitrary accounts and execute arbitrary SQL queries.
Is there a workaround for CVE-2007-3278?
A possible workaround for CVE-2007-3278 is to configure PostgreSQL to disallow the use of dblink or change authentication methods.
- agent/type
- agent/references
- agent/weakness
- agent/severity
- agent/author
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/source
- agent/first-publish-date
- agent/event
- agent/softwarecombine
- agent/tags
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-index
- vendor/postgresql
- canonical/postgresql
- version/postgresql/7.4
- version/postgresql/8.0
- version/postgresql/8.1
- version/postgresql/8.2
- version/postgresql/7.3
- vendor/debian
- canonical/debian
- version/debian/3.1
- version/debian/4.0