Vulnerability CVE-2007-2138 - CERT Civis.Net

Vulnerability Name:

CVE-2007-2138 (CCN-33842)

Assigned:

2007-04-23

Published:

2007-04-23

Updated:

2018-10-19

Summary:

Untrusted search path vulnerability in PostgreSQL before 7.3.19, 7.4.x before 7.4.17, 8.0.x before 8.0.13, 8.1.x before 8.1.9, and 8.2.x before 8.2.4 allows remote authenticated users, when permitted to call a SECURITY DEFINER function, to gain the privileges of the function owner, related to "search_path settings."

CVSS v3 Severity:

9.0 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): Required
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

6.0 Medium (CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P)
4.4 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

9.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C)
6.7 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

Vulnerability Consequences:

Gain Privileges

References:

Source: MITRE
Type: CNA
CVE-2007-2138

Source: CCN
Type: RHSA-2007-0336
Moderate: postgresql security update

Source: REDHAT
Type: Third Party Advisory
RHSA-2007:0336

Source: CCN
Type: RHSA-2007-0337
Moderate: postgresql security update

Source: SECUNIA
Type: Third Party Advisory
24989

Source: SECUNIA
Type: Third Party Advisory
24999

Source: SECUNIA
Type: Third Party Advisory
25005

Source: CCN
Type: SA25019
PostgreSQL SECURITY DEFINER Functions Privilege Escalation

Source: SECUNIA
Type: Third Party Advisory
25019

Source: CCN
Type: SA25037
Sun Solaris PostgreSQL SECURITY DEFINER Privilege Escalation

Source: SECUNIA
Type: Third Party Advisory
25037

Source: SECUNIA
Type: Third Party Advisory
25058

Source: SECUNIA
Type: Third Party Advisory
25184

Source: SECUNIA
Type: Third Party Advisory
25238

Source: CCN
Type: SA25334
Avaya Products PostgreSQL SECURITY DEFINER Privilege Escalation

Source: SECUNIA
Type: Third Party Advisory
25334

Source: SECUNIA
Type: Third Party Advisory
25717

Source: SECUNIA
Type: Third Party Advisory
25720

Source: SECUNIA
Type: Third Party Advisory
25725

Source: GENTOO
Type: Third Party Advisory
GLSA-200705-12

Source: CCN
Type: SECTRACK ID: 1017974
PostgreSQL Lets Remote Authenticated Users Gain Elevated SQL Privileges

Source: CCN
Type: Sun Alert ID: 102894
Security Vulnerability in PostgreSQL SECURITY DEFINER Functions May Allow Escalation of Privileges

Source: SUNALERT
Type: Broken Link
102894

Source: CCN
Type: ASA-2007-172
Security Vulnerability in PostgreSQL SECURITY DEFINER Functions May Allow Escalation of Privileges (Sun 102894)

Source: CONFIRM
Type: Third Party Advisory
http://support.avaya.com/elmodocs2/security/ASA-2007-190.htm

Source: CCN
Type: ASA-2007-190
PostgreSQL security update (RHSA-2007-0336 and RHSA-2007-0337)

Source: DEBIAN
Type: Third Party Advisory
DSA-1309

Source: DEBIAN
Type: Third Party Advisory
DSA-1311

Source: DEBIAN
Type: DSA-1309
postgresql-8.1 -- programming error

Source: DEBIAN
Type: DSA-1311
postgresql-7.4 -- programming error

Source: CCN
Type: GLSA-200705-12
PostgreSQL: Privilege escalation

Source: MANDRIVA
Type: Third Party Advisory
MDKSA-2007:094

Source: CCN
Type: PostgreSQL News, 2007-04-23
Security Update Releases

Source: CONFIRM
Type: Patch, Vendor Advisory
http://www.postgresql.org/about/news.791

Source: CCN
Type: PostgreSQL Web site
PostgreSQL: Security Information

Source: CONFIRM
Type: Patch, Vendor Advisory
http://www.postgresql.org/support/security.html

Source: REDHAT
Type: Third Party Advisory
RHSA-2007:0337

Source: BID
Type: Third Party Advisory, VDB Entry
23618

Source: CCN
Type: BID-23618
PostgreSQL SECURITY DEFINER Function Local Privilege Escalation Vulnerability

Source: SECTRACK
Type: Third Party Advisory, VDB Entry
1017974

Source: TRUSTIX
Type: Broken Link
2007-0015

Source: CCN
Type: USN-454-1
PostgreSQL vulnerability

Source: UBUNTU
Type: Third Party Advisory
USN-454-1

Source: VUPEN
Type: Third Party Advisory
ADV-2007-1497

Source: VUPEN
Type: Third Party Advisory
ADV-2007-1549

Source: XF
Type: Third Party Advisory, VDB Entry
postgresql-searchpath-privilege-escalation(33842)

Source: XF
Type: UNKNOWN
postgresql-searchpath-privilege-escalation(33842)

Source: CONFIRM
Type: Broken Link
https://issues.rpath.com/browse/RPL-1292

Source: OVAL
Type: Third Party Advisory
oval:org.mitre.oval:def:10090

Vulnerable Configuration:

Configuration 1:

cpe:/a:postgresql:postgresql:*:*:*:*:*:*:*:* (Version < 7.3.19)

OR cpe:/a:postgresql:postgresql:*:*:*:*:*:*:*:* (Version >= 7.4 and < 7.4.17)

OR cpe:/a:postgresql:postgresql:*:*:*:*:*:*:*:* (Version >= 8.0 and < 8.0.13)

OR cpe:/a:postgresql:postgresql:*:*:*:*:*:*:*:* (Version >= 8.1 and < 8.1.9)

OR cpe:/a:postgresql:postgresql:*:*:*:*:*:*:*:* (Version >= 8.2 and < 8.2.4)

Configuration 2:

cpe:/o:debian:debian_linux:3.1:*:*:*:*:*:*:*

OR cpe:/o:debian:debian_linux:4.0:*:*:*:*:*:*:*

Configuration 3:

cpe:/o:canonical:ubuntu_linux:6.06:*:*:*:lts:*:*:*

OR cpe:/o:canonical:ubuntu_linux:6.10:*:*:*:*:*:*:*

OR cpe:/o:canonical:ubuntu_linux:7.04:*:*:*:*:*:*:*

Configuration RedHat 1:

cpe:/o:redhat:enterprise_linux:4:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:*

Configuration RedHat 3:

cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:*

Configuration RedHat 4:

cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:*

Configuration RedHat 5:

cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:*

Configuration RedHat 6:

cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*

Configuration RedHat 7:

cpe:/o:redhat:enterprise_linux:5::client:*:*:*:*:*

Configuration RedHat 8:

cpe:/o:redhat:enterprise_linux:5::client_workstation:*:*:*:*:*

Configuration RedHat 9:

cpe:/o:redhat:enterprise_linux:5::server:*:*:*:*:*

Configuration CCN 1:

cpe:/a:postgresql:postgresql:7.3:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:7.4.3:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:8.0:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:8.1:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:8.2:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:7.4:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:7.3.1:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:7.3.2:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:7.3.3:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:7.4.1:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:7.4.2:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:7.4.4:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:7.4.5:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:7.4.6:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:7.4.7:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:7.3.4:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:7.3.5:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:7.3.6:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:7.3.7:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:7.3.8:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:7.3.9:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:8.0.1:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:8.0.2:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:8.0.5:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:8.0.4:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:8.0.3:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:8.1.1:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:8.1.2:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:8.0.6:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:7.4.11:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:7.4.10:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:7.4.9:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:7.4.8:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:7.3.13:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:7.3.12:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:7.3.11:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:7.3.10:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:8.1.3:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:8.0.7:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:7.3.14:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:7.4.12:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:8.1.4:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:8.0.8:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:7.4.14:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:7.4.13:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:7.3.15:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:8.2.1:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:8.1.6:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:8.1.5:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:8.0.10:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:8.0.9:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:7.4.16:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:7.4.15:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:7.3.18:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:7.3.17:*:*:*:*:*:*:*

OR cpe:/a:postgresql:postgresql:7.3.16:*:*:*:*:*:*:*

AND

cpe:/o:gentoo:linux:*:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:3::ws:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:3::es:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:3::as:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:3::desktop:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:4::as:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:4::desktop:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:4::es:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:4::ws:*:*:*:*:*

OR cpe:/o:debian:debian_linux:3.1:*:*:*:*:*:*:*

OR cpe:/o:sun:solaris:10::sparc:*:*:*:*:*

OR cpe:/o:sun:solaris:10::x86:*:*:*:*:*

OR cpe:/o:canonical:ubuntu:6.06::lts:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:2007:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:2007::x86_64:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:4.0::x86_64:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux_corporate_server:3.0::x86_64:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux_desktop:5.0:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:5:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:5:*:client_workstation:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:2007.1:*:*:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:2008.0::x86-64:*:*:*:*:*

OR cpe:/o:debian:debian_linux:4.0:*:*:*:*:*:*:*

OR cpe:/o:canonical:ubuntu:7.04:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:5:*:server:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:5:*:client:*:*:*:*:*

OR cpe:/o:mandrakesoft:mandrake_linux:2007.1::x86-64:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:4.5.z::as:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:4.5.z::es:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.mitre.oval:def:20469	P	DSA-1309-1 postgresql-8.1	2014-06-23
oval:org.mitre.oval:def:20481	P	DSA-1311-1 postgresql-7.4	2014-06-23
oval:org.mitre.oval:def:21808	P	ELSA-2007:0336: postgresql security update (Moderate)	2014-05-26
oval:org.mitre.oval:def:10090	V	Untrusted search path vulnerability in PostgreSQL before 7.3.19, 7.4.x before 7.4.17, 8.0.x before 8.0.13, 8.1.x before 8.1.9, and 8.2.x before 8.2.4 allows remote authenticated users, when permitted to call a SECURITY DEFINER function, to gain the privileges of the function owner, related to "search_path settings."	2013-04-29
oval:org.debian:def:1311	V	programming error	2007-06-17
oval:org.debian:def:1309	V	programming error	2007-06-16
oval:com.redhat.rhsa:def:20070336	P	RHSA-2007:0336: postgresql security update (Moderate)	2007-05-08