CVE-2009-0922
published 2009-03-17CVE-2009-0922: PostgreSQL before 8.3.7, 8.2.13, 8.1.17, 8.0.21, and 7.4.25 allows remote authenticated users to cause a denial of service (stack consumption and crash) by…
PriorityP421medium4CVSS 2.0
AVNACLAuSCNINAP
EXPLOIT
EPSS
10.24%
95.1th percentile
PostgreSQL before 8.3.7, 8.2.13, 8.1.17, 8.0.21, and 7.4.25 allows remote authenticated users to cause a denial of service (stack consumption and crash) by triggering a failure in the conversion of a localized error message to a client-specified encoding, as demonstrated using mismatched encoding conversion requests.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| postgresql | postgresql | — | — |
| postgresql | postgresql | — | — |
| postgresql | postgresql | — | — |
| postgresql | postgresql | — | — |
| postgresql | postgresql | — | — |
CVSS provenance
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:N/A:P
vendor_redhat4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
jetty: XSS in example Cookie Dump servlet (CORE-2009-0922)
vendor_redhat·2009-10-06·CVSS 4.3
CVE-2009-3579 [MEDIUM] CWE-79 jetty: XSS in example Cookie Dump servlet (CORE-2009-0922)
jetty: XSS in example Cookie Dump servlet (CORE-2009-0922)
Cross-site scripting (XSS) vulnerability in the CookieDump.java sample application in Mort Bay Jetty 6.1.19 and 6.1.20 allows remote attackers to inject arbitrary web script or HTML via the Value parameter in a GET request to cookie/.
Ubuntu
PostgreSQL vulnerability
vendor_ubuntu·2009-04-07
CVE-2009-0922 PostgreSQL vulnerability
Title: PostgreSQL vulnerability
Summary: PostgreSQL vulnerability
It was discovered that PostgreSQL did not properly handle encoding
conversion failures. An attacker could exploit this by sending specially
crafted requests to PostgreSQL, leading to a denial of service.
Instructions: This update uses a new upstream release, which includes additional
bug fixes. In general, a standard system upgrade is sufficient to
effect the necessary changes.
Red Hat
postgresql: potential DoS due to conversion functions
vendor_redhat·2009-02-27·CVSS 4.0
CVE-2009-0922 [MEDIUM] postgresql: potential DoS due to conversion functions
postgresql: potential DoS due to conversion functions
PostgreSQL before 8.3.7, 8.2.13, 8.1.17, 8.0.21, and 7.4.25 allows remote authenticated users to cause a denial of service (stack consumption and crash) by triggering a failure in the conversion of a localized error message to a client-specified encoding, as demonstrated using mismatched encoding conversion requests.
GHSA
GHSA-fj47-2vxw-632j: PostgreSQL before 8
ghsa_unreviewed·2022-05-02
CVE-2009-0922 [MEDIUM] GHSA-fj47-2vxw-632j: PostgreSQL before 8
PostgreSQL before 8.3.7, 8.2.13, 8.1.17, 8.0.21, and 7.4.25 allows remote authenticated users to cause a denial of service (stack consumption and crash) by triggering a failure in the conversion of a localized error message to a client-specified encoding, as demonstrated using mismatched encoding conversion requests.
No detection rules found.
Bugzilla
CVE-2009-3579 jetty: XSS in example Cookie Dump servlet (CORE-2009-0922)
bugzilla·2009-11-03·CVSS 4.3
CVE-2009-3579 [MEDIUM] CVE-2009-3579 jetty: XSS in example Cookie Dump servlet (CORE-2009-0922)
CVE-2009-3579 jetty: XSS in example Cookie Dump servlet (CORE-2009-0922)
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-3579 to the following vulnerability:
Cross-site scripting (XSS) vulnerability in the CookieDump.java sample
application in Mort Bay Jetty 6.1.19 and 6.1.20 allows remote
attackers to inject arbitrary web script or HTML via the Value
parameter in a GET request to cookie/.
Core Security Technologies advisory CORE-2009-0922:
http://www.coresecurity.com/content/jetty-persistent-xss
Sample XSS:
http://localhost:8088/cookie/?Name=a&Value=alert('XSS;)&Age=600
Note: Issue is not fixed in 6.1.21 as noted in CORE-2009-0922. This should be a proper upstream fix to be included in 6.1.22:
http://fisheye.codehaus.org/changelog/jetty/?cs=5571
This sample serv
Bugzilla
CVE-2009-0922 postgresql: potential DoS due to conversion functions
bugzilla·2009-03-02·CVSS 4.0
CVE-2009-0922 [MEDIUM] CVE-2009-0922 postgresql: potential DoS due to conversion functions
CVE-2009-0922 postgresql: potential DoS due to conversion functions
A stack overflow was found in how PostgreSQL handles conversion encoding. This could allow an authenticated user to kill connections to the PostgreSQL server for a small amount of time, which could interupt transactions by other users/clients.
The original report is here:
http://archives.postgresql.org/pgsql-bugs/2009-02/msg00172.php
Upstream has a patch for this issue that causes the server to crash in a different way (core dump due to abort() rather than core dump due to stack overflow), but it sounds like they are still looking for a better fix.
Discussion:
On a second look, the postmaster and postgres logging processes are not killed, but this does impact other connections as anyone attempting to interact with th
http://archives.postgresql.org//pgsql-bugs/2009-02/msg00176.phphttp://archives.postgresql.org/pgsql-bugs/2009-02/msg00172.phphttp://bugs.debian.org/cgi-bin/bugreport.cgi?bug=517405http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00010.htmlhttp://marc.info/?l=bugtraq&m=134124585221119&w=2http://secunia.com/advisories/34453http://secunia.com/advisories/35100http://sunsolve.sun.com/search/document.do?assetkey=1-66-258808-1http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020455.1-1http://wiki.rpath.com/Advisories:rPSA-2009-0086http://www.mandriva.com/security/advisories?name=MDVSA-2009:079http://www.openwall.com/lists/oss-security/2009/03/11/4http://www.postgresql.org/about/news.1065http://www.redhat.com/support/errata/RHSA-2009-1067.htmlhttp://www.securityfocus.com/archive/1/503598/100/0/threadedhttp://www.securityfocus.com/bid/34090http://www.securitytracker.com/id?1021860http://www.vupen.com/english/advisories/2009/0767http://www.vupen.com/english/advisories/2009/1316https://bugzilla.redhat.com/show_bug.cgi?id=488156https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10874https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6252https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00810.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-March/msg00843.htmlhttp://archives.postgresql.org//pgsql-bugs/2009-02/msg00176.phphttp://archives.postgresql.org/pgsql-bugs/2009-02/msg00172.phphttp://bugs.debian.org/cgi-bin/bugreport.cgi?bug=517405http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00010.htmlhttp://marc.info/?l=bugtraq&m=134124585221119&w=2http://secunia.com/advisories/34453http://secunia.com/advisories/35100http://sunsolve.sun.com/search/document.do?assetkey=1-66-258808-1http://sunsolve.sun.com/search/document.do?assetkey=1-77-1020455.1-1http://wiki.rpath.com/Advisories:rPSA-2009-0086http://www.mandriva.com/security/advisories?name=MDVSA-2009:079http://www.openwall.com/lists/oss-security/2009/03/11/4http://www.postgresql.org/about/news.1065http://www.redhat.com/support/errata/RHSA-2009-1067.htmlhttp://www.securityfocus.com/archive/1/503598/100/0/threadedhttp://www.securityfocus.com/bid/34090http://www.securitytracker.com/id?1021860http://www.vupen.com/english/advisories/2009/0767http://www.vupen.com/english/advisories/2009/1316https://bugzilla.redhat.com/show_bug.cgi?id=488156https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10874https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6252https://www.redhat.com/archives/fedora-package-announce/2009-March/msg00810.htmlhttps://www.redhat.com/archives/fedora-package-announce/2009-March/msg00843.html
2009-03-17
Published