CVE-2012-0866

Name of the Vulnerable Software and Affected Versions PostgreSQL versions 8.3.x through 8.3.17 PostgreSQL versions 8.4.x through 8.4.10 PostgreSQL versions 9.0.x through 9.0.6 PostgreSQL versions 9.1.x through 9.1.2

Description The issue concerns the CREATE TRIGGER function in PostgreSQL, which does not properly check the execute permission for trigger functions marked as SECURITY DEFINER. This allows remote authenticated users to execute restricted triggers on arbitrary data by installing the trigger on a table owned by the attacker. The problem lies in the improper checking of permissions on functions called by triggers.

Recommendations For PostgreSQL versions 8.3.x through 8.3.17, update to version 8.3.18 or later. For PostgreSQL versions 8.4.x through 8.4.10, update to version 8.4.11 or later. For PostgreSQL versions 9.0.x through 9.0.6, update to version 9.0.7 or later. For PostgreSQL versions 9.1.x through 9.1.2, update to version 9.1.3 or later.