CVE-2009-0922

Severity

40%

Complexity

80%

Confidentiality

48%

Per: https://bugzilla.redhat.com/show_bug.cgi?id=488156 "PostgreSQL allows remote authenticated users to cause a momentary denial of service (crash due to stack consumption) when there is a failure to convert a localized error message to the client-specified encoding. In releases 8.3.6, 8.2.12, 8.1.16. 8.0.20, and 7.4.24, a trivial misconfiguration is sufficient to provoke a crash. In older releases it is necessary to select a locale and client encoding for which specific messages fail to translate, and so a given installation may or may not be vulnerable depending on the administrator-determined locale setting. Releases 8.3.7, 8.2.13, 8.1.17, 8.0.21, and 7.4.25 are secure against all known variants of this issue."

PostgreSQL before 8.3.7, 8.2.13, 8.1.17, 8.0.21, and 7.4.25 allows remote authenticated users to cause a denial of service (stack consumption and crash) by triggering a failure in the conversion of a localized error message to a client-specified encoding, as demonstrated using mismatched encoding conversion requests.

Per: https://bugzilla.redhat.com/show_bug.cgi?id=488156 "PostgreSQL allows remote authenticated users to cause a momentary denial of service (crash due to stack consumption) when there is a failure to convert a localized error message to the client-specified encoding. In releases 8.3.6, 8.2.12, 8.1.16. 8.0.20, and 7.4.24, a trivial misconfiguration is sufficient to provoke a crash. In older releases it is necessary to select a locale and client encoding for which specific messages fail to translate, and so a given installation may or may not be vulnerable depending on the administrator-determined locale setting. Releases 8.3.7, 8.2.13, 8.1.17, 8.0.21, and 7.4.25 are secure against all known variants of this issue."

CVSS 2.0 Base Score 4. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:S/C:N/I:N/A:P).

Overview

Type

PostgreSQL

First reported 16 years ago

2009-03-17 17:30:00

Last updated 6 years ago

2018-10-10 19:32:00

Affected Software

PostgreSQL PostgreSQL 7.4.24

7.4.24

PostgreSQL PostgreSQL 8.0.20

8.0.20

PostgreSQL 8.1.16

8.1.16

PostgreSQL 8.2.12

8.2.12

PostgreSQL 8.3.6

8.3.6

References

[pgsql-bugs] 20090227 Re: BUG #4680: Server crashed if using wrong (mismatch) conversion functions

Exploit

[pgsql-bugs] 20090227 BUG #4680: Server crashed if using wrong (mismatch) conversion functions

Exploit

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=517405

SUSE-SR:2009:009

HPSBMU02781

34453

Vendor Advisory

35100

Vendor Advisory

258808

1020455

http://wiki.rpath.com/Advisories:rPSA-2009-0086

MDVSA-2009:079

[oss-security] 20090311 CVE request -- postgresql

http://www.postgresql.org/about/news.1065

Patch, Vendor Advisory

RHSA-2009:1067

20090519 rPSA-2009-0086-1 postgresql postgresql-contrib postgresql-server

34090

Exploit, Patch

1021860

ADV-2009-0767

Patch, Vendor Advisory

ADV-2009-1316

Patch, Vendor Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=488156

oval:org.mitre.oval:def:10874

oval:org.mitre.oval:def:6252

FEDORA-2009-2927

FEDORA-2009-2959

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.