CVE-2016-5424

HIGH

Debian Linux < 9.1.22 - Code Injection

Title source: rule

Description

PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 might allow remote authenticated users with the CREATEDB or CREATEROLE role to gain superuser privileges via a (1) " (double quote), (2) \ (backslash), (3) carriage return, or (4) newline character in a (a) database or (b) role name that is mishandled during an administrative operation.

References (15)

Core 15

Core References

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2016-1781.html

Release Notes, Vendor Advisory x_refsource_confirm

https://www.postgresql.org/docs/current/static/release-9-4-9.html

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id/1036617

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2016-1821.html

Third Party Advisory vendor-advisory x_refsource_debian

http://www.debian.org/security/2016/dsa-3646

Third Party Advisory vendor-advisory x_refsource_gentoo

https://security.gentoo.org/glsa/201701-33

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2017:2425

Release Notes, Vendor Advisory x_refsource_confirm

https://www.postgresql.org/docs/current/static/release-9-5-4.html

Release Notes, Vendor Advisory x_refsource_confirm

https://www.postgresql.org/docs/current/static/release-9-3-14.html

Patch, Third Party Advisory, VDB Entry x_refsource_confirm

https://www.postgresql.org/about/news/1688/

Release Notes, Vendor Advisory x_refsource_confirm

https://www.postgresql.org/docs/current/static/release-9-2-18.html

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/92435

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2016-2606.html

Vendor Advisory vendor-advisory x_refsource_redhat

http://rhn.redhat.com/errata/RHSA-2016-1820.html

Release Notes, Vendor Advisory x_refsource_confirm

https://www.postgresql.org/docs/current/static/release-9-1-23.html

Scores

CVSS v3 7.1

EPSS 0.0167

EPSS Percentile 82.4%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-94

Status published

Products (47)

debian/debian_linux 8.0

postgresql/postgresql 9.2

postgresql/postgresql 9.2.1

postgresql/postgresql 9.2.2

postgresql/postgresql 9.2.3

postgresql/postgresql 9.2.4

postgresql/postgresql 9.2.5

postgresql/postgresql 9.2.6

postgresql/postgresql 9.2.7

postgresql/postgresql 9.2.8

... and 37 more

Published Dec 09, 2016

Tracked Since Feb 18, 2026