ByteOS Network

NVD Vulnerability Details :

CVE-2009-3231

Analyzed

Source-cve@mitre.org

Published At-17 Sep, 2009 | 10:30

Updated At-13 Feb, 2024 | 17:41

The core server component in PostgreSQL 8.3 before 8.3.8 and 8.2 before 8.2.14, when using LDAP authentication with anonymous binds, allows remote attackers to bypass authentication via an empty password.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	2.0	6.8	MEDIUM	AV:N/AC:M/Au:N/C:P/I:P/A:P

Type: Primary

Version: 2.0

Base score: 6.8

Base severity: MEDIUM

Vector:

AV:N/AC:M/Au:N/C:P/I:P/A:P

CPE Matches

The PostgreSQL Global Development Group

>>postgresql>>Versions from 8.2(inclusive) to 8.2.14(exclusive)

cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*

The PostgreSQL Global Development Group

>>postgresql>>Versions from 8.3(inclusive) to 8.3.8(exclusive)

cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*

openSUSE

>>opensuse>>Versions from 10.3(inclusive) to 11.1(inclusive)

cpe:2.3:o:opensuse:opensuse:*:*:*:*:*:*:*:*

SUSE

>>linux_enterprise>>10.0

cpe:2.3:o:suse:linux_enterprise:10.0:sp2:*:*:*:*:*:*

SUSE

>>linux_enterprise>>11.0

cpe:2.3:o:suse:linux_enterprise:11.0:-:*:*:*:*:*:*

SUSE

>>linux_enterprise_server>>9

cpe:2.3:o:suse:linux_enterprise_server:9:*:*:*:*:*:*:*

Fedora Project

>>fedora>>10

cpe:2.3:o:fedoraproject:fedora:10:*:*:*:*:*:*:*

Fedora Project

>>fedora>>11

cpe:2.3:o:fedoraproject:fedora:11:*:*:*:*:*:*:*

Canonical Ltd.

>>ubuntu_linux>>6.06

cpe:2.3:o:canonical:ubuntu_linux:6.06:*:*:*:*:*:*:*

Canonical Ltd.

>>ubuntu_linux>>8.04

cpe:2.3:o:canonical:ubuntu_linux:8.04:*:*:*:-:*:*:*

Canonical Ltd.

>>ubuntu_linux>>8.10

cpe:2.3:o:canonical:ubuntu_linux:8.10:*:*:*:*:*:*:*

Canonical Ltd.

>>ubuntu_linux>>9.04

cpe:2.3:o:canonical:ubuntu_linux:9.04:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-287	Primary	nvd@nist.gov

CWE ID: CWE-287

Type: Primary

Source: nvd@nist.gov

Vendor Statements

Organization : Red Hat

Last Modified : 2009-09-24T00:00:00

Not vulnerable. This issue did not affect the versions of PostgreSQL as shipped with Red Hat Enterprise Linux 3, 4, or 5, as they do not support LDAP authentication, which was introduced upstream in version 8.2. This issue was addressed in Red Hat Application Stack v2 via https://rhn.redhat.com/errata/RHSA-2009-1461.html .

References

Hyperlink	Source	Resource
http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html	cve@mitre.org	Mailing List
http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html	cve@mitre.org	Mailing List
http://marc.info/?l=bugtraq&m=134124585221119&w=2	cve@mitre.org	Mailing List
http://secunia.com/advisories/36660	cve@mitre.org	Broken Link Vendor Advisory
http://secunia.com/advisories/36727	cve@mitre.org	Broken Link Vendor Advisory
http://secunia.com/advisories/36800	cve@mitre.org	Broken Link
http://secunia.com/advisories/36837	cve@mitre.org	Broken Link
http://wiki.rpath.com/wiki/Advisories:rPSA-2010-0012	cve@mitre.org	Broken Link
http://www.postgresql.org/docs/8.3/static/release-8-3-8.html	cve@mitre.org	Release Notes
http://www.postgresql.org/support/security.html	cve@mitre.org	Broken Link Vendor Advisory
http://www.securityfocus.com/archive/1/509917/100/0/threaded	cve@mitre.org	Broken Link Third Party Advisory VDB Entry
http://www.securityfocus.com/bid/36314	cve@mitre.org	Broken Link Third Party Advisory VDB Entry
http://www.ubuntu.com/usn/usn-834-1	cve@mitre.org	Third Party Advisory
http://www.us.debian.org/security/2009/dsa-1900	cve@mitre.org	Broken Link
https://bugzilla.redhat.com/show_bug.cgi?id=522084	cve@mitre.org	Issue Tracking Patch
https://www.redhat.com/archives/fedora-package-announce/2009-September/msg00305.html	cve@mitre.org	Mailing List
https://www.redhat.com/archives/fedora-package-announce/2009-September/msg00307.html	cve@mitre.org	Mailing List