ID CVE-2013-1899
Summary Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows remote attackers to cause a denial of service (file corruption), and allows remote authenticated users to modify configuration settings and execute arbitrary code, via a connection request using a database name that begins with a "-" (hyphen).
References
Vulnerable Configurations
  • PostgreSQL 9.2.1
    cpe:2.3:a:postgresql:postgresql:9.2.1
  • PostgreSQL 9.2
    cpe:2.3:a:postgresql:postgresql:9.2
  • PostgreSQL 9.2.2
    cpe:2.3:a:postgresql:postgresql:9.2.2
  • PostgreSQL PostgreSQL 9.2.3
    cpe:2.3:a:postgresql:postgresql:9.2.3
  • PostgreSQL 9.1.7
    cpe:2.3:a:postgresql:postgresql:9.1.7
  • PostgreSQL 9.1.3
    cpe:2.3:a:postgresql:postgresql:9.1.3
  • PostgreSQL 9.1.6
    cpe:2.3:a:postgresql:postgresql:9.1.6
  • PostgreSQL 9.1
    cpe:2.3:a:postgresql:postgresql:9.1
  • PostgreSQL 9.1.2
    cpe:2.3:a:postgresql:postgresql:9.1.2
  • PostgreSQL 9.1.1
    cpe:2.3:a:postgresql:postgresql:9.1.1
  • PostgreSQL 9.1.5
    cpe:2.3:a:postgresql:postgresql:9.1.5
  • PostgreSQL 9.1.4
    cpe:2.3:a:postgresql:postgresql:9.1.4
  • PostgreSQL 9.1.8
    cpe:2.3:a:postgresql:postgresql:9.1.8
  • PostgreSQL 9.0
    cpe:2.3:a:postgresql:postgresql:9.0
  • PostgreSQL 9.0.8
    cpe:2.3:a:postgresql:postgresql:9.0.8
  • PostgreSQL 9.0.7
    cpe:2.3:a:postgresql:postgresql:9.0.7
  • PostgreSQL 9.0.1
    cpe:2.3:a:postgresql:postgresql:9.0.1
  • PostgreSQL 9.0.2
    cpe:2.3:a:postgresql:postgresql:9.0.2
  • PostgreSQL 9.0.6
    cpe:2.3:a:postgresql:postgresql:9.0.6
  • PostgreSQL 9.0.4
    cpe:2.3:a:postgresql:postgresql:9.0.4
  • PostgreSQL 9.0.5
    cpe:2.3:a:postgresql:postgresql:9.0.5
  • PostgreSQL 9.0.3
    cpe:2.3:a:postgresql:postgresql:9.0.3
  • PostgreSQL 9.0.9
    cpe:2.3:a:postgresql:postgresql:9.0.9
  • PostgreSQL 9.0.11
    cpe:2.3:a:postgresql:postgresql:9.0.11
  • PostgreSQL 9.0.10
    cpe:2.3:a:postgresql:postgresql:9.0.10
  • PostgreSQL 9.0.12
    cpe:2.3:a:postgresql:postgresql:9.0.12
  • Canonical Ubuntu Linux 12.10
    cpe:2.3:o:canonical:ubuntu_linux:12.10
  • Canonical Ubuntu Linux 12.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:12.04:-:lts
  • Canonical Ubuntu Linux 11.10
    cpe:2.3:o:canonical:ubuntu_linux:11.10
  • Canonical Ubuntu Linux 10.04 LTS
    cpe:2.3:o:canonical:ubuntu_linux:10.04:-:lts
  • Canonical Ubuntu Linux 8.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:8.04:-:lts
CVSS
Base: 6.5 (as of 04-04-2013 - 14:11)
Impact:
Exploitability:
CWE CWE-94
CAPEC
  • Leverage Executable Code in Non-Executable Files
    An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
  • Manipulating User-Controlled Variables
    This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.
Access
VectorComplexityAuthentication
NETWORK LOW SINGLE_INSTANCE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
metasploit via4
description This module can identify PostgreSQL 9.0, 9.1, and 9.2 servers that are vulnerable to command-line flag injection through CVE-2013-1899. This can lead to denial of service, privilege escalation, or even arbitrary code execution.
id MSF:AUXILIARY/SCANNER/POSTGRES/POSTGRES_DBNAME_FLAG_INJECTION
last seen 2019-03-11
modified 2017-07-24
published 2013-04-04
reliability Normal
reporter Rapid7
source https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/postgres/postgres_dbname_flag_injection.rb
title PostgreSQL Database Name Command Line Flag Injection
nessus via4
  • NASL family Databases
    NASL id POSTGRESQL_CVE20131899.NASL
    description The version of PostgreSQL installed on the remote host is 9.0.x prior to 9.0.13, 9.1.x prior to 9.1.9 or 9.2.x prior to 9.2.4. As such, it is potentially affected by a file deletion vulnerability. A remote, unauthenticated attacker, could damage or destroy files within a server's data directory by requesting a database name that begins with '-'.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 65855
    published 2013-04-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=65855
    title PostgreSQL 9.0 < 9.0.13 / 9.1 < 9.1.9 / 9.2 < 9.2.4 File Deletion
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SERVER_2_2_2.NASL
    description The remote Mac OS X 10.8 host has a version of OS X Server installed that is prior to 2.2.2. It is, therefore, affected by the following vulnerabilities : - Two vulnerabilities exist in the included ClamAV software, the most serious of which could allow an attacker to execute arbitrary code remotely. (CVE-2013-2020 / CVE-2013-2021) - Three vulnerabilities exist in the included PostgreSQL software, the most serious of which could result in data corruption or privilege escalation. (CVE-2013-1899 / CVE-2013-1900 / CVE-2013-1901) - Multiple cross-site scripting issues exist in the included Wiki Server software (CVE-2013-1034)
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 69932
    published 2013-09-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69932
    title Mac OS X : OS X Server < 2.2.2 Multiple Vulnerabilities
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_3F332F169B6B11E28FE908002798F6FF.NASL
    description PostgreSQL project reports : The PostgreSQL Global Development Group has released a security update to all current versions of the PostgreSQL database system, including versions 9.2.4, 9.1.9, 9.0.13, and 8.4.17. This update fixes a high-exposure security vulnerability in versions 9.0 and later. All users of the affected versions are strongly urged to apply the update *immediately*. A major security issue (for versions 9.x only) fixed in this release, [CVE-2013-1899](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013 -1899), makes it possible for a connection request containing a database name that begins with '-' to be crafted that can damage or destroy files within a server's data directory. Anyone with access to the port the PostgreSQL server listens on can initiate this request. This issue was discovered by Mitsumasa Kondo and Kyotaro Horiguchi of NTT Open Source Software Center. Two lesser security fixes are also included in this release : [CVE-2013-1900](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013 -1900), wherein random numbers generated by contrib/pgcrypto functions may be easy for another database user to guess (all versions), and [CVE-2013-1901](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013 -1901), which mistakenly allows an unprivileged user to run commands that could interfere with in-progress backups (for versions 9.x only).
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 65841
    published 2013-04-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=65841
    title FreeBSD : PostgreSQL -- anonymous remote access data corruption vulnerability (3f332f16-9b6b-11e2-8fe9-08002798f6ff)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201408-15.NASL
    description The remote host is affected by the vulnerability described in GLSA-201408-15 (PostgreSQL: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in PostgreSQL. Please review the CVE identifiers referenced below for details. Impact : A remote authenticated attacker may be able to create a Denial of Service condition, bypass security restrictions, or have other unspecified impact. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-12
    plugin id 77459
    published 2014-08-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77459
    title GLSA-201408-15 : PostgreSQL: Multiple vulnerabilities
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1789-1.NASL
    description Mitsumasa Kondo and Kyotaro Horiguchi discovered that PostgreSQL incorrectly handled certain connection requests containing database names starting with a dash. A remote attacker could use this flaw to damage or destroy files within a server's data directory. This issue only applied to Ubuntu 11.10, Ubuntu 12.04 LTS, and Ubuntu 12.10. (CVE-2013-1899) Marko Kreen discovered that PostgreSQL incorrectly generated random numbers. An authenticated attacker could use this flaw to possibly guess another database user's random numbers. (CVE-2013-1900) Noah Misch discovered that PostgreSQL incorrectly handled certain privilege checks. An unprivileged attacker could use this flaw to possibly interfere with in-progress backups. This issue only applied to Ubuntu 11.10, Ubuntu 12.04 LTS, and Ubuntu 12.10. (CVE-2013-1901). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 65818
    published 2013-04-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=65818
    title Ubuntu 8.04 LTS / 10.04 LTS / 11.10 / 12.04 LTS / 12.10 : postgresql-8.3, postgresql-8.4, postgresql-9.1 vulnerabilities (USN-1789-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2013-6148.NASL
    description - Update to PostgreSQL 9.2.4, for various fixes described at http://www.postgresql.org/docs/9.2/static/release-9-2-4. html including the fixes for CVE-2013-1899, CVE-2013-1900, CVE-2013-1901 - fix build for aarch64 and ppc64p7 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-24
    plugin id 66168
    published 2013-04-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=66168
    title Fedora 19 : postgresql-9.2.4-1.fc19 (2013-6148)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2013-142.NASL
    description Multiple vulnerabilities has been discovered and corrected in postgresql : PostgreSQL 9.2.x before 9.2.3, 9.1.x before 9.1.8, 9.0.x before 9.0.12, 8.4.x before 8.4.16, and 8.3.x before 8.3.23 does not properly declare the enum_recv function in backend/utils/adt/enum.c, which causes it to be invoked with incorrect arguments and allows remote authenticated users to cause a denial of service (server crash) or read sensitive process memory via a crafted SQL command, which triggers an array index error and an out-of-bounds read (CVE-2013-0255). Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows remote attackers to cause a denial of service (file corruption), and allows remote authenticated users to modify configuration settings and execute arbitrary code, via a connection request using a database name that begins with a - (hyphen) (CVE-2013-1899). PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, and 8.4.x before 8.4.17, when using OpenSSL, generates insufficiently random numbers, which might allow remote authenticated users to have an unspecified impact via vectors related to the contrib/pgcrypto functions. (CVE-2013-1900). PostgreSQL 9.2.x before 9.2.4 and 9.1.x before 9.1.9 does not properly check REPLICATION privileges, which allows remote authenticated users to bypass intended backup restrictions by calling the (1) pg_start_backup or (2) pg_stop_backup functions (CVE-2013-1901). This advisory provides the latest versions of PostgreSQL that is not vulnerable to these issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 66154
    published 2013-04-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=66154
    title Mandriva Linux Security Advisory : postgresql (MDVSA-2013:142)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2013-5000.NASL
    description - Update to PostgreSQL 9.1.9, for various fixes described at http://www.postgresql.org/docs/9.1/static/release-9-1-9. html including the fixes for CVE-2013-1899, CVE-2013-1900, CVE-2013-1901 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-24
    plugin id 65828
    published 2013-04-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=65828
    title Fedora 17 : postgresql-9.1.9-1.fc17 (2013-5000)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2013-4951.NASL
    description - Update to PostgreSQL 9.2.4, for various fixes described at http://www.postgresql.org/docs/9.2/static/release-9-2-4. html including the fixes for CVE-2013-1899, CVE-2013-1900, CVE-2013-1901 - fix build for aarch64 and ppc64p7 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-24
    plugin id 65827
    published 2013-04-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=65827
    title Fedora 18 : postgresql-9.2.4-1.fc18 (2013-4951)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_LIBECPG6-130402.NASL
    description This update to version 9.1.9 fixes : - Fix insecure parsing of server command-line switches. (CVE-2013-1899) - Reset OpenSSL randomness state in each postmaster child process. (CVE-2013-1900) - Make REPLICATION privilege checks test current user not authenticated user. (CVE-2013-1901)
    last seen 2019-02-21
    modified 2015-01-13
    plugin id 65829
    published 2013-04-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=65829
    title SuSE 11.2 Security Update : PostgreSQL (SAT Patch Number 7585)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2013-307.NASL
    description postgresql was updated to version 9.1.9 (bnc#812525) : - CVE-2013-1899: Fix insecure parsing of server command-line switches. A connection request containing a database name that begins with '-' could be crafted to damage or destroy files within the server's data directory, even if the request is eventually rejected. - CVE-2013-1900: Reset OpenSSL randomness state in each postmaster child process. This avoids a scenario wherein random numbers generated by 'contrib/pgcrypto' functions might be relatively easy for another database user to guess. The risk is only significant when the postmaster is configured with ssl = on but most connections don't use SSL encryption. - CVE-2013-1901: Make REPLICATION privilege checks test current user not authenticated user. An unprivileged database user could exploit this mistake to call pg_start_backup() or pg_stop_backup(), thus possibly interfering with creation of routine backups. - See the release notes for the rest of the changes: http://www.postgresql.org/docs/9.1/static/release-9-1-9. html /usr/share/doc/packages/postgresql91/HISTORY
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 74963
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74963
    title openSUSE Security Update : postgresql91 (openSUSE-SU-2013:0627-1)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2013-178.NASL
    description Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows remote attackers to cause a denial of service (file corruption), and allows remote authenticated users to modify configuration settings and execute arbitrary code, via a connection request using a database name that begins with a '-' (hyphen). PostgreSQL 9.2.x before 9.2.4 and 9.1.x before 9.1.9 does not properly check REPLICATION privileges, which allows remote authenticated users to bypass intended backup restrictions by calling the (1) pg_start_backup or (2) pg_stop_backup functions. PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, 9.0.x before 9.0.13, and 8.4.x before 8.4.17, when using OpenSSL, generates insufficiently random numbers, which might allow remote authenticated users to have an unspecified impact via vectors related to the 'contrib/pgcrypto functions.'
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 69737
    published 2013-09-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69737
    title Amazon Linux AMI : postgresql9 (ALAS-2013-178)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2013-004.NASL
    description The remote host is running a version of Mac OS X 10.6 or 10.7 that does not have Security Update 2013-004 applied. This update contains several security-related fixes for the following component : - Apache - Bind - Certificate Trust Policy - ClamAV - Installer - IPSec - Mobile Device Management - OpenSSL - PHP - PostgreSQL - QuickTime - sudo Note that successful exploitation of the most serious issues could result in arbitrary code execution.
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 69878
    published 2013-09-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69878
    title Mac OS X Multiple Vulnerabilities (Security Update 2013-004)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_10_8_5.NASL
    description The remote host is running a version of Mac OS X 10.8.x that is prior to 10.8.5. The newer version contains multiple security-related fixes for the following components : - Apache - Bind - Certificate Trust Policy - CoreGraphics - ImageIO - Installer - IPSec - Kernel - Mobile Device Management - OpenSSL - PHP - PostgreSQL - Power Management - QuickTime - Screen Lock - sudo This update also addresses an issue in which certain Unicode strings could cause applications to unexpectedly quit. Note that successful exploitation of the most serious issues could result in arbitrary code execution.
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 69877
    published 2013-09-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=69877
    title Mac OS X 10.8.x < 10.8.5 Multiple Vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2013-306.NASL
    description postgresql was updated to version 9.2.4 (bnc#812525) : - CVE-2013-1899: Fix insecure parsing of server command-line switches. A connection request containing a database name that begins with '-' could be crafted to damage or destroy files within the server's data directory, even if the request is eventually rejected. - CVE-2013-1900: Reset OpenSSL randomness state in each postmaster child process. This avoids a scenario wherein random numbers generated by 'contrib/pgcrypto' functions might be relatively easy for another database user to guess. The risk is only significant when the postmaster is configured with ssl = on but most connections don't use SSL encryption. - CVE-2013-1901: Make REPLICATION privilege checks test current user not authenticated user. An unprivileged database user could exploit this mistake to call pg_start_backup() or pg_stop_backup(), thus possibly interfering with creation of routine backups. - See the release notes for the rest of the changes: http://www.postgresql.org/docs/9.2/static/release-9-2-4. html /usr/share/doc/packages/postgresql92/HISTORY
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 74962
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74962
    title openSUSE Security Update : postgresql92 (openSUSE-SU-2013:0628-1)
refmap via4
apple
  • APPLE-SA-2013-09-12-1
  • APPLE-SA-2013-09-17-1
confirm
debian DSA-2658
fedora
  • FEDORA-2013-5000
  • FEDORA-2013-6148
mandriva MDVSA-2013:142
suse
  • SUSE-SU-2013:0633
  • openSUSE-SU-2013:0627
  • openSUSE-SU-2013:0628
  • openSUSE-SU-2013:0635
ubuntu USN-1789-1
vmware via4
description VMware vFabric Postgres has been updated to resolve several security issues that were found to be present in Postgres.
id VMSA-2013-0005
last_updated 2013-04-04T00:00:00
published 2013-04-04T00:00:00
title VMware vFabric Postgres security vulnerabilities
Last major update 30-11-2013 - 23:27
Published 04-04-2013 - 13:55
Back to Top