CVE-2009-3231
First published: Wed Sep 09 2009(Updated: )
The core server component in PostgreSQL 8.3 before 8.3.8 and 8.2 before 8.2.14, when using LDAP authentication with anonymous binds, allows remote attackers to bypass authentication via an empty password.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| PostgreSQL Common | =8.2 | |
| PostgreSQL Common | =8.2.1 | |
| PostgreSQL Common | =8.2.2 | |
| PostgreSQL Common | =8.2.3 | |
| PostgreSQL Common | =8.2.4 | |
| PostgreSQL Common | =8.2.5 | |
| PostgreSQL Common | =8.2.6 | |
| PostgreSQL Common | =8.2.7 | |
| PostgreSQL Common | =8.2.8 | |
| PostgreSQL Common | =8.2.9 | |
| PostgreSQL Common | =8.2.10 | |
| PostgreSQL Common | =8.2.11 | |
| PostgreSQL Common | =8.2.12 | |
| PostgreSQL Common | =8.2.13 | |
| PostgreSQL Common | =8.3 | |
| PostgreSQL Common | =8.3.1 | |
| PostgreSQL Common | =8.3.2 | |
| PostgreSQL Common | =8.3.3 | |
| PostgreSQL Common | =8.3.4 | |
| PostgreSQL Common | =8.3.5 | |
| PostgreSQL Common | =8.3.6 | |
| PostgreSQL Common | =8.3.7 | |
| PostgreSQL | >=8.2<8.2.14 | |
| PostgreSQL | >=8.3<8.3.8 | |
| openSUSE | >=10.3<=11.1 | |
| SUSE Linux Enterprise Server | =10.0-sp2 | |
| SUSE Linux Enterprise Server | =11.0 | |
| SUSE Linux Enterprise Server | =9 | |
| Red Hat Fedora | =10 | |
| Red Hat Fedora | =11 | |
| Ubuntu | =6.06 | |
| Ubuntu | =8.04 | |
| Ubuntu | =8.10 | |
| Ubuntu | =9.04 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=522084
- http://www.securityfocus.com/bid/36314
- https://www.redhat.com/archives/fedora-package-announce/2009-September/msg00307.html
- http://www.postgresql.org/docs/8.3/static/release-8-3-8.html
- https://www.redhat.com/archives/fedora-package-announce/2009-September/msg00305.html
- http://www.postgresql.org/support/security.html
- http://secunia.com/advisories/36727
- http://secunia.com/advisories/36660
- http://secunia.com/advisories/36837
- http://www.us.debian.org/security/2009/dsa-1900
- http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html
- http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html
- http://secunia.com/advisories/36800
- http://www.ubuntu.com/usn/usn-834-1
- http://wiki.rpath.com/wiki/Advisories:rPSA-2010-0012
- http://marc.info/?l=bugtraq&m=134124585221119&w=2
- http://www.securityfocus.com/archive/1/509917/100/0/threaded
- http://admin.fedoraproject.org/updates/postgresql-8.3.8-1.fc11
- http://admin.fedoraproject.org/updates/postgresql-8.3.8-1.fc10
- https://access.redhat.com/security/cve/CVE-2009-3231
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3231
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=522084
- https://rhn.redhat.com/errata/RHSA-2009-1461.html
- https://www.cve.org/CVERecord?id=CVE-2009-3231 https://nvd.nist.gov/vuln/detail/CVE-2009-3231
- https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2009-3231.json
Frequently Asked Questions
What is the severity of CVE-2009-3231?
CVE-2009-3231 is classified as a moderate severity vulnerability due to its ability to allow bypassing LDAP authentication.
How do I fix CVE-2009-3231?
To resolve CVE-2009-3231, you should upgrade to PostgreSQL version 8.3.8 or later for version 8.3 or 8.2.14 or later for version 8.2.
What systems are affected by CVE-2009-3231?
CVE-2009-3231 affects PostgreSQL versions 8.3 before 8.3.8 and 8.2 before 8.2.14, as well as certain vulnerable Linux distributions using these PostgreSQL versions.
What happens if I don't mitigate CVE-2009-3231?
Failure to mitigate CVE-2009-3231 could allow unauthorized remote attackers to bypass authentication and gain access to the database.
What type of authentication is vulnerable in CVE-2009-3231?
CVE-2009-3231 specifically affects LDAP authentication when using anonymous binds.
- agent/type
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2009-3231
- collector/redhat-cve
- agent/severity
- agent/references
- agent/weakness
- agent/description
- agent/author
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/source
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-historical
- agent/softwarecombine
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- vendor/postgresql
- canonical/postgresql common
- version/postgresql common/8.2
- version/postgresql common/8.2.1
- version/postgresql common/8.2.2
- version/postgresql common/8.2.3
- version/postgresql common/8.2.4
- version/postgresql common/8.2.5
- version/postgresql common/8.2.6
- version/postgresql common/8.2.7
- version/postgresql common/8.2.8
- version/postgresql common/8.2.9
- version/postgresql common/8.2.10
- version/postgresql common/8.2.11
- version/postgresql common/8.2.12
- version/postgresql common/8.2.13
- version/postgresql common/8.3
- version/postgresql common/8.3.1
- version/postgresql common/8.3.2
- version/postgresql common/8.3.3
- version/postgresql common/8.3.4
- version/postgresql common/8.3.5
- version/postgresql common/8.3.6
- version/postgresql common/8.3.7
- canonical/postgresql
- version/postgresql/8.2
- version/postgresql/8.3
- vendor/opensuse
- canonical/opensuse
- version/opensuse/10.3
- version/opensuse/11.1
- vendor/suse
- canonical/suse linux enterprise server
- version/suse linux enterprise server/10.0-sp2
- version/suse linux enterprise server/11.0
- version/suse linux enterprise server/9
- vendor/fedoraproject
- canonical/red hat fedora
- version/red hat fedora/10
- version/red hat fedora/11
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/6.06
- version/ubuntu/8.04
- version/ubuntu/8.10
- version/ubuntu/9.04