PT-2005-4413 · Postgresql+1 · Mod Auth Pgsql+1

Published

2005-12-31

Updated

2018-10-03

CVE-2005-3656

CVSS v2.0

High

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions mod auth pgsql versions prior to 2.0.3

Description The issue concerns multiple format string vulnerabilities in logging functions. These vulnerabilities can be exploited by remote unauthenticated attackers to execute arbitrary code when mod auth pgsql is used for user authentication against a PostgreSQL database. This can be achieved by manipulating the username variable.

Recommendations For versions prior to 2.0.3, update to version 2.0.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the logging functions until a patch is available. Avoid using user-supplied input for the username variable in the affected logging functions until the issue is resolved.

Fix

Use of Externally-Controlled Format String

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-134

Related Identifiers

CVE-2005-3656

DSA-935-1

RHSA-2006:0164

RHSA-2006_0164

Affected Products

Red Hat

Mod Auth Pgsql

PT-2005-4413 · Postgresql+1 · Mod Auth Pgsql+1

CVE-2005-3656

Weakness Enumeration

Related Identifiers

Affected Products

References · 27