PostgreSQL Bugs allows remote user to cause service to crash

Posted on Posted in PostgreSQL

Decription: A remote authenticated user with CREATEDB or CREATEROLE roles can create a specially crafted object name containing newlines, carriage returns, double quotes, or backslashes that will, when a superuser runs certain maintenance programs (e.g., pg_dumpall, pg_upgrade, vacuumdb, reindexdb, and clusterdb), grant the user superuser privileges [CVE-2016-5424].

Affected versions: 9.1.x, 9.2.x, 9.3.x, 9.4.x, 9.x.

Recommended action: Apply the vendor issued fix (9.1.23, 9.2.18, 9.3.14, 9.4.9, 9.5.4).

Origin URLs:

Leave a Reply

Your email address will not be published. Required fields are marked *