CVE-2009-3230
First published: Wed Sep 09 2009(Updated: )
The core server component in PostgreSQL 8.4 before 8.4.1, 8.3 before 8.3.8, 8.2 before 8.2.14, 8.1 before 8.1.18, 8.0 before 8.0.22, and 7.4 before 7.4.26 does not use the appropriate privileges for the (1) RESET ROLE and (2) RESET SESSION AUTHORIZATION operations, which allows remote authenticated users to gain privileges. NOTE: this is due to an incomplete fix for CVE-2007-6600.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/postgresql | <0:7.4.26-1.el4_8.1 | 0:7.4.26-1.el4_8.1 |
| redhat/postgresql | <0:8.1.18-2.el5_4.1 | 0:8.1.18-2.el5_4.1 |
| PostgreSQL Common | =7.4.16 | |
| PostgreSQL Common | =8.1.10 | |
| PostgreSQL Common | =8.1.6 | |
| PostgreSQL Common | =8.2.9 | |
| PostgreSQL Common | =8.0.7 | |
| PostgreSQL Common | =8.0.2 | |
| PostgreSQL Common | =8.1.15 | |
| PostgreSQL Common | =8.1.7 | |
| PostgreSQL Common | =8.3.6 | |
| PostgreSQL Common | =8.2.10 | |
| PostgreSQL Common | =7.4.24 | |
| PostgreSQL Common | =8.2.4 | |
| PostgreSQL Common | =7.4.22 | |
| PostgreSQL Common | =7.4.21 | |
| PostgreSQL Common | =8.0.17 | |
| PostgreSQL Common | =8.0.10 | |
| PostgreSQL Common | =7.4.19 | |
| PostgreSQL Common | =8.1 | |
| PostgreSQL Common | =8.2.11 | |
| PostgreSQL Common | =8.1.13 | |
| PostgreSQL Common | =8.0.12 | |
| PostgreSQL Common | =8.2.12 | |
| PostgreSQL Common | =7.4.15 | |
| PostgreSQL Common | =8.0.9 | |
| PostgreSQL Common | =8.0.15 | |
| PostgreSQL Common | =7.4.1 | |
| PostgreSQL Common | =8.2.2 | |
| PostgreSQL Common | =8.3.3 | |
| PostgreSQL Common | =8.1.3 | |
| PostgreSQL Common | =7.4.14 | |
| PostgreSQL Common | =7.4.6 | |
| PostgreSQL Common | =8.3.2 | |
| PostgreSQL Common | =7.4.23 | |
| PostgreSQL Common | =7.4.11 | |
| PostgreSQL Common | =8.0.18 | |
| PostgreSQL Common | =8.2.5 | |
| PostgreSQL Common | =8.0.3 | |
| PostgreSQL Common | =7.4.7 | |
| PostgreSQL Common | =8.1.9 | |
| PostgreSQL Common | =7.4.17 | |
| PostgreSQL Common | =8.4 | |
| PostgreSQL Common | =7.4.3 | |
| PostgreSQL Common | =8.2.1 | |
| PostgreSQL Common | =8.3.1 | |
| PostgreSQL Common | =8.1.14 | |
| PostgreSQL Common | =7.4.25 | |
| PostgreSQL Common | =7.4.9 | |
| PostgreSQL Common | =7.4.5 | |
| PostgreSQL Common | =7.4.18 | |
| PostgreSQL Common | =8.3.5 | |
| PostgreSQL Common | =8.0.20 | |
| PostgreSQL Common | =8.0.8 | |
| PostgreSQL Common | =7.4.8 | |
| PostgreSQL Common | =8.2.7 | |
| PostgreSQL Common | =8.0.6 | |
| PostgreSQL Common | =8.1.11 | |
| PostgreSQL Common | =7.4 | |
| PostgreSQL Common | =8.2.6 | |
| PostgreSQL Common | =7.4.4 | |
| PostgreSQL Common | =8.0.16 | |
| PostgreSQL Common | =8.3.7 | |
| PostgreSQL Common | =8.0.13 | |
| PostgreSQL Common | =8.1.4 | |
| PostgreSQL Common | =8.0.1 | |
| PostgreSQL Common | =8.1.8 | |
| PostgreSQL Common | =8.3.4 | |
| PostgreSQL Common | =7.4.12 | |
| PostgreSQL Common | =8.0.19 | |
| PostgreSQL Common | =8.1.1 | |
| PostgreSQL Common | =8.1.12 | |
| PostgreSQL Common | =8.1.5 | |
| PostgreSQL Common | =8.0.21 | |
| PostgreSQL Common | =7.4.10 | |
| PostgreSQL Common | =8.1.16 | |
| PostgreSQL Common | =8.2.3 | |
| PostgreSQL Common | =8.0.4 | |
| PostgreSQL Common | =8.0.5 | |
| PostgreSQL Common | =7.4.20 | |
| PostgreSQL Common | =8.0.14 | |
| PostgreSQL Common | =8.2.8 | |
| PostgreSQL Common | =8.2.13 | |
| PostgreSQL Common | =8.2 | |
| PostgreSQL Common | =7.4.2 | |
| PostgreSQL Common | =8.0.11 | |
| PostgreSQL Common | =8.0 | |
| PostgreSQL Common | =7.4.13 | |
| PostgreSQL Common | =8.1.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.redhat.com/archives/fedora-package-announce/2009-September/msg00305.html
- http://secunia.com/advisories/36660
- http://www.securityfocus.com/bid/36314
- http://www.postgresql.org/docs/8.3/static/release-8-3-8.html
- http://www.postgresql.org/support/security.html
- https://www.redhat.com/archives/fedora-package-announce/2009-September/msg00307.html
- http://secunia.com/advisories/36727
- http://archives.postgresql.org/pgsql-www/2009-09/msg00024.php
- https://bugzilla.redhat.com/show_bug.cgi?id=522085
- http://www.vupen.com/english/advisories/2009/2602
- http://secunia.com/advisories/36695
- http://secunia.com/advisories/36837
- http://www.us.debian.org/security/2009/dsa-1900
- http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html
- http://sunsolve.sun.com/search/document.do?assetkey=1-66-270408-1
- http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html
- http://www.ubuntu.com/usn/usn-834-1
- http://secunia.com/advisories/36800
- http://wiki.rpath.com/wiki/Advisories:rPSA-2010-0012
- http://marc.info/?l=bugtraq&m=134124585221119&w=2
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10166
- http://www.securityfocus.com/archive/1/509917/100/0/threaded
- https://access.redhat.com/security/cve/CVE-2007-2138
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=237680
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=237682
- https://www.redhat.com/security/data/cve/CVE-2007-2138.html
- https://access.redhat.com/security/cve/CVE-2007-6600
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=427127
- https://www.redhat.com/security/data/cve/CVE-2007-6600.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=522085#c2
- http://archives.postgresql.org/pgsql-www/2009-09/msg00023.php
- http://admin.fedoraproject.org/updates/postgresql-8.3.8-1.fc11
- http://admin.fedoraproject.org/updates/postgresql-8.3.8-1.fc10
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=522822
- https://access.redhat.com/security/cve/CVE-2009-3230
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3230
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=522085
- https://rhn.redhat.com/errata/RHSA-2009-1461.html
- https://rhn.redhat.com/errata/RHSA-2009-1484.html
- https://rhn.redhat.com/errata/RHSA-2009-1485.html
- https://www.cve.org/CVERecord?id=CVE-2009-3230 https://nvd.nist.gov/vuln/detail/CVE-2009-3230
- https://access.redhat.com/errata/RHSA-2009:1485
- https://access.redhat.com/errata/RHSA-2009:1484
- https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-3230.json
Frequently Asked Questions
What is the severity of CVE-2009-3230?
CVE-2009-3230 is rated as a medium severity vulnerability.
How do I fix CVE-2009-3230?
To fix CVE-2009-3230, upgrade your PostgreSQL version to 8.4.1 or higher, 8.3.8 or higher, 8.2.14 or higher, and so on as specified.
What versions of PostgreSQL are affected by CVE-2009-3230?
CVE-2009-3230 affects PostgreSQL versions 7.4 to 8.4, including various sub-versions.
Can CVE-2009-3230 be exploited remotely?
Yes, CVE-2009-3230 can be exploited remotely by authenticated users.
What operations are improperly handled in CVE-2009-3230?
CVE-2009-3230 involves improper privilege handling for the RESET ROLE and RESET SESSION AUTHORIZATION operations.
- agent/type
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2009-3230
- agent/references
- agent/severity
- agent/author
- agent/weakness
- agent/description
- collector/redhat-cve
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-historical
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/redhat
- vendor/postgresql
- canonical/postgresql common
- version/postgresql common/7.4.16
- version/postgresql common/8.1.10
- version/postgresql common/8.1.6
- version/postgresql common/8.2.9
- version/postgresql common/8.0.7
- version/postgresql common/8.0.2
- version/postgresql common/8.1.15
- version/postgresql common/8.1.7
- version/postgresql common/8.3.6
- version/postgresql common/8.2.10
- version/postgresql common/7.4.24
- version/postgresql common/8.2.4
- version/postgresql common/7.4.22
- version/postgresql common/7.4.21
- version/postgresql common/8.0.17
- version/postgresql common/8.0.10
- version/postgresql common/7.4.19
- version/postgresql common/8.1
- version/postgresql common/8.2.11
- version/postgresql common/8.1.13
- version/postgresql common/8.0.12
- version/postgresql common/8.2.12
- version/postgresql common/7.4.15
- version/postgresql common/8.0.9
- version/postgresql common/8.0.15
- version/postgresql common/7.4.1
- version/postgresql common/8.2.2
- version/postgresql common/8.3.3
- version/postgresql common/8.1.3
- version/postgresql common/7.4.14
- version/postgresql common/7.4.6
- version/postgresql common/8.3.2
- version/postgresql common/7.4.23
- version/postgresql common/7.4.11
- version/postgresql common/8.0.18
- version/postgresql common/8.2.5
- version/postgresql common/8.0.3
- version/postgresql common/7.4.7
- version/postgresql common/8.1.9
- version/postgresql common/7.4.17
- version/postgresql common/8.4
- version/postgresql common/7.4.3
- version/postgresql common/8.2.1
- version/postgresql common/8.3.1
- version/postgresql common/8.1.14
- version/postgresql common/7.4.25
- version/postgresql common/7.4.9
- version/postgresql common/7.4.5
- version/postgresql common/7.4.18
- version/postgresql common/8.3.5
- version/postgresql common/8.0.20
- version/postgresql common/8.0.8
- version/postgresql common/7.4.8
- version/postgresql common/8.2.7
- version/postgresql common/8.0.6
- version/postgresql common/8.1.11
- version/postgresql common/7.4
- version/postgresql common/8.2.6
- version/postgresql common/7.4.4
- version/postgresql common/8.0.16
- version/postgresql common/8.3.7
- version/postgresql common/8.0.13
- version/postgresql common/8.1.4
- version/postgresql common/8.0.1
- version/postgresql common/8.1.8
- version/postgresql common/8.3.4
- version/postgresql common/7.4.12
- version/postgresql common/8.0.19
- version/postgresql common/8.1.1
- version/postgresql common/8.1.12
- version/postgresql common/8.1.5
- version/postgresql common/8.0.21
- version/postgresql common/7.4.10
- version/postgresql common/8.1.16
- version/postgresql common/8.2.3
- version/postgresql common/8.0.4
- version/postgresql common/8.0.5
- version/postgresql common/7.4.20
- version/postgresql common/8.0.14
- version/postgresql common/8.2.8
- version/postgresql common/8.2.13
- version/postgresql common/8.2
- version/postgresql common/7.4.2
- version/postgresql common/8.0.11
- version/postgresql common/8.0
- version/postgresql common/7.4.13
- version/postgresql common/8.1.2