CVE-2007-3279
PostgreSQL 8.1 and later - Unauthenticated Arbitrary Function Execution via PL/pgSQL PUBLIC Privileges
Title source: llmDescription
PostgreSQL 8.1 and probably later versions, when the PL/pgSQL (plpgsql) language has been created, grants certain plpgsql privileges to the PUBLIC domain, which allows remote attackers to create and execute functions, as demonstrated by functions that perform local brute-force password guessing attacks, which may evade intrusion detection.
References (6)
Core 6
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://osvdb.org/40900
Various Sources x_refsource_misc
http://www.leidecker.info/pgshell/Having_Fun_With_PostgreSQL.txt
Vendor Advisory vendor-advisory
x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDKSA-2007:188
Various Sources x_refsource_misc
http://www.portcullis.co.uk/uplds/whitepapers/Having_Fun_With_PostgreSQL.pdf
Third Party Advisory, VDB Entry mailing-list
x_refsource_bugtraq
http://www.securityfocus.com/archive/1/471541/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/35144
Scores
EPSS
0.0289
EPSS Percentile
86.5%
Details
Status
published
Products (1)
postgresql/postgresql
8.1
Published
Jun 19, 2007
Tracked Since
Feb 18, 2026