CVE-2013-1899

Published: Apr 4, 2013Modified: Apr 29, 2026

6.5

Vector

AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability: 8.0 / Impact: 6.4

Source: NVD

Description

Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows remote attackers to cause a denial of service (file corruption), and allows remote authenticated users to modify configuration settings and execute arbitrary code, via a connection request using a database name that begins with a "-" (hyphen).

Affected (31)

Products: Postgresql: Postgresql · Canonical: Ubuntu Linux

1 product

1 product

Configuration A

4 vulnerable

Vulnerable Software	Affected Versions
Postgresql Postgresql	Version 9.2.1
Postgresql Postgresql	Version 9.2.2
Postgresql Postgresql	Version 9.2.3
Postgresql Postgresql	Version 9.2

Configuration B

9 vulnerable

Vulnerable Software	Affected Versions
Postgresql Postgresql	Version 9.1.1
Postgresql Postgresql	Version 9.1.2
Postgresql Postgresql	Version 9.1.3
Postgresql Postgresql	Version 9.1.4
Postgresql Postgresql	Version 9.1.5
Postgresql Postgresql	Version 9.1.6
Postgresql Postgresql	Version 9.1.7
Postgresql Postgresql	Version 9.1.8
Postgresql Postgresql	Version 9.1

Configuration C

13 vulnerable

Vulnerable Software	Affected Versions
Postgresql Postgresql	Version 9.0.10
Postgresql Postgresql	Version 9.0.11
Postgresql Postgresql	Version 9.0.12
Postgresql Postgresql	Version 9.0.1
Postgresql Postgresql	Version 9.0.2
Postgresql Postgresql	Version 9.0.3
Postgresql Postgresql	Version 9.0.4
Postgresql Postgresql	Version 9.0.5
Postgresql Postgresql	Version 9.0.6
Postgresql Postgresql	Version 9.0.7
Postgresql Postgresql	Version 9.0.8
Postgresql Postgresql	Version 9.0.9
Postgresql Postgresql	Version 9.0

Configuration D

5 vulnerable

Vulnerable Software	Affected Versions
Canonical Ubuntu Linux	Version 10.04
Canonical Ubuntu Linux	Version 11.10
Canonical Ubuntu Linux	Version 12.04
Canonical Ubuntu Linux	Version 12.10
Canonical Ubuntu Linux	Version 8.04

Related CWEs

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (36)

http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html

Source: secalert@redhat.com

http://lists.apple.com/archives/security-announce/2013/Sep/msg00004.html

Source: secalert@redhat.com

http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101519.html

Source: secalert@redhat.com

http://lists.fedoraproject.org/pipermail/package-announce/2013-April/102806.html

Source: secalert@redhat.com

http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00007.html

Source: secalert@redhat.com

http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00008.html

Source: secalert@redhat.com

http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00011.html

Source: secalert@redhat.com

http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00012.html

Source: secalert@redhat.com

http://support.apple.com/kb/HT5880

Source: secalert@redhat.com

http://support.apple.com/kb/HT5892

Source: secalert@redhat.com

http://www.debian.org/security/2013/dsa-2658

Source: secalert@redhat.com

http://www.mandriva.com/security/advisories?name=MDVSA-2013:142

Source: secalert@redhat.com

http://www.postgresql.org/about/news/1456/

Source: secalert@redhat.com

Vendor Advisory

http://www.postgresql.org/docs/current/static/release-9-0-13.html

Source: secalert@redhat.com

http://www.postgresql.org/docs/current/static/release-9-1-9.html

Source: secalert@redhat.com

http://www.postgresql.org/docs/current/static/release-9-2-4.html

Source: secalert@redhat.com

http://www.postgresql.org/support/security/faq/2013-04-04/

Source: secalert@redhat.com

Vendor Advisory

http://www.ubuntu.com/usn/USN-1789-1

Source: secalert@redhat.com

http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.apple.com/archives/security-announce/2013/Sep/msg00004.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101519.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.fedoraproject.org/pipermail/package-announce/2013-April/102806.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00007.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00008.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00011.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00012.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://support.apple.com/kb/HT5880

Source: af854a3a-2127-422b-91ae-364da2661108

http://support.apple.com/kb/HT5892

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.debian.org/security/2013/dsa-2658

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.mandriva.com/security/advisories?name=MDVSA-2013:142

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.postgresql.org/about/news/1456/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://www.postgresql.org/docs/current/static/release-9-0-13.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.postgresql.org/docs/current/static/release-9-1-9.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.postgresql.org/docs/current/static/release-9-2-4.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.postgresql.org/support/security/faq/2013-04-04/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

http://www.ubuntu.com/usn/USN-1789-1

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.