CVE-2007-3280
published 2007-06-19CVE-2007-3280: The Database Link library (dblink) in PostgreSQL 8.1 implements functions via CREATE statements that map to arbitrary libraries based on the C programming…
PriorityP258critical9CVSS 2.0
AVNACLAuSCCICAC
EXPLOIT
EPSS
26.13%
97.7th percentile
The Database Link library (dblink) in PostgreSQL 8.1 implements functions via CREATE statements that map to arbitrary libraries based on the C programming language, which allows remote authenticated superusers to map and execute a function from any library, as demonstrated by using the system function in libc.so.6 to gain shell access.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| postgresql | postgresql | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor PostgreSQL for CREATE FUNCTION statements that reference external shared library paths (especially /tmp or world-writable directories), which may indicate UDF-based exploitation. ↗
- →Detect use of the UPDATE pg_largeobject method for binary injection of shared object files into the database, a precursor to UDF payload execution. ↗
- →Alert on PostgreSQL UDF shared libraries loaded from /tmp, as the exploit relies on the postgres service account writing and sourcing shared objects from that directory. ↗
- →The malicious shared object's constructor is used to execute the payload — look for unexpected child processes spawned by the PostgreSQL service process (e.g., shells or reverse-shell processes). ↗
- ·Red Hat explicitly does not treat this as a security vulnerability, considering superuser code execution an intended feature — deployments relying on Red Hat guidance may not have mitigations applied. ↗
- ·Exploitation requires a remote authenticated PostgreSQL superuser account; non-superuser accounts cannot trigger this attack path. ↗
- ·The attack is specific to PostgreSQL 8.1 with the dblink extension enabled; environments without dblink loaded are not directly exposed via this documented vector. ↗
CVSS provenance
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vendor_redhat9.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-h7vx-cf93-p4j3: The Database Link library (dblink) in PostgreSQL 8
ghsa_unreviewed·2022-05-01
CVE-2007-3280 [HIGH] GHSA-h7vx-cf93-p4j3: The Database Link library (dblink) in PostgreSQL 8
The Database Link library (dblink) in PostgreSQL 8.1 implements functions via CREATE statements that map to arbitrary libraries based on the C programming language, which allows remote authenticated superusers to map and execute a function from any library, as demonstrated by using the system function in libc.so.6 to gain shell access.
Red Hat
Database superuser can execute code on behalf of postgresql server
vendor_redhat·CVSS 9.0
CVE-2007-3280 [CRITICAL] Database superuser can execute code on behalf of postgresql server
Database superuser can execute code on behalf of postgresql server
The Database Link library (dblink) in PostgreSQL 8.1 implements functions via CREATE statements that map to arbitrary libraries based on the C programming language, which allows remote authenticated superusers to map and execute a function from any library, as demonstrated by using the system function in libc.so.6 to gain shell access.
Statement: Red Hat does not consider this do be a security issue. The ability of the superuser to execute code on behalf of the database server is an intended feature and imposes no security threat as the superuser account is restricted to the database administrator.
No detection rules found.
http://osvdb.org/40901http://www.leidecker.info/pgshell/Having_Fun_With_PostgreSQL.txthttp://www.mandriva.com/security/advisories?name=MDKSA-2007:188http://www.portcullis.co.uk/uplds/whitepapers/Having_Fun_With_PostgreSQL.pdfhttp://www.securityfocus.com/archive/1/471541/100/0/threadedhttps://exchange.xforce.ibmcloud.com/vulnerabilities/35145http://osvdb.org/40901http://www.leidecker.info/pgshell/Having_Fun_With_PostgreSQL.txthttp://www.mandriva.com/security/advisories?name=MDKSA-2007:188http://www.portcullis.co.uk/uplds/whitepapers/Having_Fun_With_PostgreSQL.pdfhttp://www.securityfocus.com/archive/1/471541/100/0/threadedhttps://exchange.xforce.ibmcloud.com/vulnerabilities/35145
2007-06-19
Published