CVE-2009-3231

Name of the Vulnerable Software and Affected Versions PostgreSQL versions 8.2 through 8.2.14 PostgreSQL versions 8.3 through 8.3.8

Description The issue allows remote attackers to bypass authentication via an empty password when using LDAP authentication with anonymous binds. If PostgreSQL is configured with LDAP authentication and the LDAP configuration allows anonymous binds, it is possible for a user to authenticate themselves with an empty password.

Recommendations For PostgreSQL versions 8.2 through 8.2.14, update to version 8.2.14 or later to resolve the issue. For PostgreSQL versions 8.3 through 8.3.8, update to version 8.3.8 or later to resolve the issue. As a temporary workaround, consider disabling LDAP authentication with anonymous binds until a patch is available. Restrict access to the LDAP configuration to minimize the risk of exploitation.