製品・ソフトウェアに関する情報

JVN脆弱性詳細

PostgreSQL におけるサービス運用妨害 (DoS) の脆弱性

Title	PostgreSQL におけるサービス運用妨害 (DoS) の脆弱性
Summary	PostgreSQL には、引数の挿入により、サービス運用妨害 (ファイルの破損) 状態にされる、構成設定を変更される、および任意のコードを実行される脆弱性が存在します。
Possible impacts	第三者によりサービス運用妨害 (ファイルの破損) 状態にされる、およびリモート認証されたユーザにより "-" (ハイフン) を含むデータベース名を使用した接続リクエストを介して、構成設定を変更される、および任意のコードを実行される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	April 4, 2013, midnight
Registration Date	April 5, 2013, 2:24 p.m.
Last Update	Dec. 5, 2013, 11:07 a.m.

CVSS2.0 : 警告
Score	6.5
Vector	AV:N/AC:L/Au:S/C:P/I:P/A:P

Affected System

PostgreSQL.org

PostgreSQL 9.0.13 未満の 9.0.x

PostgreSQL 9.1.9 未満の 9.1.x

PostgreSQL 9.2.4 未満の 9.2.x

アップル

Apple Mac OS X v10.7.5

Apple Mac OS X v10.8 から v10.8.4

Apple Mac OS X Server v10.7.5

macOS Server (旧 OS X Server) v2.2.2 未満 (Apple Mac OS X v10.8 以降)

Canonical

Ubuntu 10.04 LTS

Ubuntu 11.10

Ubuntu 12.04 LTS

Ubuntu 12.10

Ubuntu 8.04 LTS

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2013-1899	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1899
National Vulnerability Database (NVD)
2	CVE-2013-1899	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1899

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-94	https://jvndb.jvn.jp/ja/cwe/CWE-94.html

ベンダー情報

No	Name	URL
Apple Mailing Lists
1	APPLE-SA-2013-09-12-1	http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html
2	APPLE-SA-2013-09-17-1	http://lists.apple.com/archives/security-announce/2013/Sep/msg00004.html
Apple Security Updates
3	HT5880	http://support.apple.com/kb/HT5880
4	HT5892	http://support.apple.com/kb/HT5892
Apple セキュリティアップデート
5	HT5880	http://support.apple.com/kb/HT5880?viewlocale=ja_JP
6	HT5892	http://support.apple.com/kb/HT5892?viewlocale=ja_JP
Debian セキュリティ勧告
7	DSA-2658	http://www.debian.org/security/2013/dsa-2658
Fedora Update Notification
8	FEDORA-2013-5000	https://lists.fedoraproject.org/pipermail/package-announce/2013-April/101519.html
9	FEDORA-2013-6148	https://lists.fedoraproject.org/pipermail/package-announce/2013-April/102806.html
opensuse-security-announce
10	openSUSE-SU-2013:0627	http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00007.html
11	openSUSE-SU-2013:0628	http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00008.html
12	openSUSE-SU-2013:0635	http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00012.html
13	SUSE-SU-2013:0633	http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00011.html
PostgreSQL
14	2013-04-04 Security Release FAQ	http://www.postgresql.org/support/security/faq/2013-04-04/
PostgreSQL NEWS
15	PostgreSQL 9.2.4, 9.1.9, 9.0.13 and 8.4.17 released	http://www.postgresql.org/about/news/1456/
PostgreSQL Release Notes
16	Release 9.0.13	http://www.postgresql.org/docs/current/static/release-9-0-13.html
17	Release 9.1.9	http://www.postgresql.org/docs/current/static/release-9-1-9.html
18	Release 9.2.4	http://www.postgresql.org/docs/current/static/release-9-2-4.html
Security Advisories
19	MDVSA-2013:142	http://www.mandriva.com/en/support/security/advisories/advisory/MDVSA-2013:142/?name=MDVSA-2013:142
Ubuntu Security Notice
20	USN-1789-1	http://www.ubuntu.com/usn/USN-1789-1/

Change Log

No	Changed Details	Date of change
0	[2013年04月05日] 掲載 [2013年04月26日] ベンダ情報：Debian (DSA-2658) を追加ベンダ情報：Novell (openSUSE-SU-2013:0635) を追加ベンダ情報：Novell (SUSE-SU-2013:0633) を追加ベンダ情報：Novell (openSUSE-SU-2013:0628) を追加ベンダ情報：Novell (openSUSE-SU-2013:0627) を追加 [2013年10月09日] 影響を受けるシステム：アップル (HT5880) の情報を追加影響を受けるシステム：アップル (HT5892) の情報を追加ベンダ情報：アップル (HT5880) を追加ベンダ情報：アップル (HT5892) を追加ベンダ情報：アップル (APPLE-SA-2013-09-17-1) を追加ベンダ情報：アップル (APPLE-SA-2013-09-12-1) を追加 [2013年12月05日] ベンダ情報：Fedora Project (FEDORA-2013-5000) を追加ベンダ情報：Fedora Project (FEDORA-2013-6148) を追加ベンダ情報：Mandriva, Inc. (MDVSA-2013:142) を追加	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2013-1899

Summary	Argument injection vulnerability in PostgreSQL 9.2.x before 9.2.4, 9.1.x before 9.1.9, and 9.0.x before 9.0.13 allows remote attackers to cause a denial of service (file corruption), and allows remote authenticated users to modify configuration settings and execute arbitrary code, via a connection request using a database name that begins with a "-" (hyphen).
Publication Date	April 5, 2013, 2:55 a.m.
Registration Date	Jan. 26, 2021, 3:37 p.m.
Last Update	Nov. 21, 2024, 10:50 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:postgresql:postgresql:9.2.1:::::::*
cpe:2.3:a:postgresql:postgresql:9.2.3:::::::*
cpe:2.3:a:postgresql:postgresql:9.2:::::::*
cpe:2.3:a:postgresql:postgresql:9.2.2:::::::*

Configuration2	or higher	or less	more than	less than
cpe:2.3:a:postgresql:postgresql:9.1.4:::::::*
cpe:2.3:a:postgresql:postgresql:9.1:::::::*
cpe:2.3:a:postgresql:postgresql:9.1.5:::::::*
cpe:2.3:a:postgresql:postgresql:9.1.8:::::::*
cpe:2.3:a:postgresql:postgresql:9.1.2:::::::*
cpe:2.3:a:postgresql:postgresql:9.1.6:::::::*
cpe:2.3:a:postgresql:postgresql:9.1.7:::::::*
cpe:2.3:a:postgresql:postgresql:9.1.3:::::::*
cpe:2.3:a:postgresql:postgresql:9.1.1:::::::*

Configuration3	or higher	or less	more than	less than
cpe:2.3:a:postgresql:postgresql:9.0.11:::::::*
cpe:2.3:a:postgresql:postgresql:9.0.7:::::::*
cpe:2.3:a:postgresql:postgresql:9.0.6:::::::*
cpe:2.3:a:postgresql:postgresql:9.0.10:::::::*
cpe:2.3:a:postgresql:postgresql:9.0.4:::::::*
cpe:2.3:a:postgresql:postgresql:9.0.9:::::::*
cpe:2.3:a:postgresql:postgresql:9.0.1:::::::*
cpe:2.3:a:postgresql:postgresql:9.0.3:::::::*
cpe:2.3:a:postgresql:postgresql:9.0:::::::*
cpe:2.3:a:postgresql:postgresql:9.0.2:::::::*
cpe:2.3:a:postgresql:postgresql:9.0.5:::::::*
cpe:2.3:a:postgresql:postgresql:9.0.12:::::::*
cpe:2.3:a:postgresql:postgresql:9.0.8:::::::*

Configuration4	or higher	or less	more than	less than
cpe:2.3:o:canonical:ubuntu_linux:8.04:-:lts:::::*
cpe:2.3:o:canonical:ubuntu_linux:11.10:::::::*
cpe:2.3:o:canonical:ubuntu_linux:12.10:::::::*
cpe:2.3:o:canonical:ubuntu_linux:12.04:-:lts:::::*
cpe:2.3:o:canonical:ubuntu_linux:10.04:-:lts:::::*

Related information, measures and tools

No	URL	タグ
1	http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html
2	http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html
3	http://lists.apple.com/archives/security-announce/2013/Sep/msg00004.html
4	http://lists.apple.com/archives/security-announce/2013/Sep/msg00004.html
5	http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101519.html
6	http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101519.html
7	http://lists.fedoraproject.org/pipermail/package-announce/2013-April/102806.html
8	http://lists.fedoraproject.org/pipermail/package-announce/2013-April/102806.html
9	http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00007.html
10	http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00007.html
11	http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00008.html
12	http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00008.html
13	http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00011.html
14	http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00011.html
15	http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00012.html
16	http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00012.html
17	http://support.apple.com/kb/HT5880
18	http://support.apple.com/kb/HT5880
19	http://support.apple.com/kb/HT5892
20	http://support.apple.com/kb/HT5892
21	http://www.debian.org/security/2013/dsa-2658
22	http://www.debian.org/security/2013/dsa-2658
23	http://www.mandriva.com/security/advisories?name=MDVSA-2013:142
24	http://www.mandriva.com/security/advisories?name=MDVSA-2013:142
25	http://www.postgresql.org/about/news/1456/	Vendor Advisory
26	http://www.postgresql.org/about/news/1456/	Vendor Advisory
27	http://www.postgresql.org/docs/current/static/release-9-0-13.html
28	http://www.postgresql.org/docs/current/static/release-9-0-13.html
29	http://www.postgresql.org/docs/current/static/release-9-1-9.html
30	http://www.postgresql.org/docs/current/static/release-9-1-9.html
31	http://www.postgresql.org/docs/current/static/release-9-2-4.html
32	http://www.postgresql.org/docs/current/static/release-9-2-4.html
33	http://www.postgresql.org/support/security/faq/2013-04-04/	Vendor Advisory
34	http://www.postgresql.org/support/security/faq/2013-04-04/	Vendor Advisory
35	http://www.ubuntu.com/usn/USN-1789-1
36	http://www.ubuntu.com/usn/USN-1789-1

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-94	コード・インジェクション	https://cwe.mitre.org/data/definitions/94.html

Configuration2	or higher	or less	more than	less than
cpe:2.3:a:postgresql:postgresql:9.1.4:::::::*
cpe:2.3:a:postgresql:postgresql:9.1:::::::*
cpe:2.3:a:postgresql:postgresql:9.1.5:::::::*
cpe:2.3:a:postgresql:postgresql:9.1.8:::::::*
cpe:2.3:a:postgresql:postgresql:9.1.2:::::::*
cpe:2.3:a:postgresql:postgresql:9.1.6:::::::*
cpe:2.3:a:postgresql:postgresql:9.1.7:::::::*
cpe:2.3:a:postgresql:postgresql:9.1.3:::::::*
cpe:2.3:a:postgresql:postgresql:9.1.1:::::::*

Configuration3	or higher	or less	more than	less than
cpe:2.3:a:postgresql:postgresql:9.0.11:::::::*
cpe:2.3:a:postgresql:postgresql:9.0.7:::::::*
cpe:2.3:a:postgresql:postgresql:9.0.6:::::::*
cpe:2.3:a:postgresql:postgresql:9.0.10:::::::*
cpe:2.3:a:postgresql:postgresql:9.0.4:::::::*
cpe:2.3:a:postgresql:postgresql:9.0.9:::::::*
cpe:2.3:a:postgresql:postgresql:9.0.1:::::::*
cpe:2.3:a:postgresql:postgresql:9.0.3:::::::*
cpe:2.3:a:postgresql:postgresql:9.0:::::::*
cpe:2.3:a:postgresql:postgresql:9.0.2:::::::*
cpe:2.3:a:postgresql:postgresql:9.0.5:::::::*
cpe:2.3:a:postgresql:postgresql:9.0.12:::::::*
cpe:2.3:a:postgresql:postgresql:9.0.8:::::::*