CVE-2010-1170

PostgreSQL 7.4-8.4, 9.0 Beta - Authenticated Remote Code Execution via PL/Tcl Module Loading

Title source: llm
STIX 2.1

Description

The PL/Tcl implementation in PostgreSQL 7.4 before 7.4.29, 8.0 before 8.0.25, 8.1 before 8.1.21, 8.2 before 8.2.17, 8.3 before 8.3.11, 8.4 before 8.4.4, and 9.0 Beta before 9.0 Beta 2 loads Tcl code from the pltcl_modules table regardless of the table's ownership and permissions, which allows remote authenticated users, with database-creation privileges, to execute arbitrary Tcl code by creating this table and inserting a crafted Tcl script.

References (36)

Core 36
Core References
Various Sources x_refsource_confirm
http://www.postgresql.org/support/security
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041579.html
Vendor Advisory x_refsource_confirm
http://www.postgresql.org/about/news.1203
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2010-0427.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://www.securitytracker.com/id?1023987
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2010-0428.html
Mailing List vendor-advisory x_refsource_hp
http://marc.info/?l=bugtraq&m=134124585221119&w=2
Third Party Advisory vendor-advisory x_refsource_debian
http://www.debian.org/security/2010/dsa-2051
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/39898
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/39820
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2010/1198
Patch, Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2010/1167
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2010/1221
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/39845
Issue Tracking x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=583072
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/40215
Third Party Advisory, VDB Entry vdb-entry x_refsource_osvdb
http://osvdb.org/64757
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2010/1207
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2010-0430.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041559.html
Mailing List, Third Party Advisory vendor-advisory x_refsource_fedora
http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041591.html
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2010/1182
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/39815
Vendor Advisory vendor-advisory x_refsource_redhat
http://www.redhat.com/support/errata/RHSA-2010-0429.html
Vendor Advisory vendor-advisory x_refsource_mandriva
http://www.mandriva.com/security/advisories?name=MDVSA-2010:103
Mailing List mailing-list x_refsource_mlist
http://www.openwall.com/lists/oss-security/2010/05/20/5
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/39939
Third Party Advisory, VDB Entry vdb-entry signature x_refsource_oval
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10510
Third Party Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2010/1197

Scores

EPSS 0.0028
EPSS Percentile 51.7%

Details

CWE
CWE-264
Status published
Products (50)
postgresql/postgresql 7.4
postgresql/postgresql 7.4.1
postgresql/postgresql 7.4.2
postgresql/postgresql 7.4.3
postgresql/postgresql 7.4.4
postgresql/postgresql 7.4.5
postgresql/postgresql 7.4.6
postgresql/postgresql 7.4.7
postgresql/postgresql 7.4.8
postgresql/postgresql 7.4.9
... and 40 more
Published May 19, 2010
Tracked Since Feb 18, 2026