CVE-2013-1899

Name of the Vulnerable Software and Affected Versions PostgreSQL versions 9.2.x before 9.2.4 PostgreSQL versions 9.1.x before 9.1.9 PostgreSQL versions 9.0.x before 9.0.13 libpq5-x86 (affected versions not specified) libecpg6 (affected versions not specified) libpq5 (affected versions not specified) libpq5-32bit (affected versions not specified)

Description The issue allows remote attackers to cause a denial of service, and allows remote authenticated users to modify configuration settings and execute arbitrary code. A connection request containing a database name that begins with a "-" (hyphen) may be crafted to damage or destroy files within a server's data directory. The exploitation of the vulnerabilities may lead to a violation of confidentiality, integrity, and availability of protected information. The exploitation can be carried out remotely by an attacker who has passed the authentication procedure.

Recommendations For PostgreSQL versions 9.2.x before 9.2.4, update to version 9.2.4 or later. For PostgreSQL versions 9.1.x before 9.1.9, update to version 9.1.9 or later. For PostgreSQL versions 9.0.x before 9.0.13, update to version 9.0.13 or later. For libpq5-x86, libecpg6, libpq5, and libpq5-32bit, at the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the vulnerable components to minimize the risk of exploitation. Avoid using database names that begin with a "-" (hyphen) in connection requests until the issue is resolved.