CVE-2009-3231 — Improper Authentication in Postgresql

CWE-287 — Improper Authentication6 documents6 sources

Severity

6.8MEDIUMNVD

EPSS

5.0%

top 10.32%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Postgresql Opensuse Canonical Ubuntu Linux +3 more

Timeline

PublishedSep 17

Latest updateMay 2

Description

The core server component in PostgreSQL 8.3 before 8.3.8 and 8.2 before 8.2.14, when using LDAP authentication with anonymous binds, allows remote attackers to bypass authentication via an empty password.

CVSS vector

AV:N/AC:M/C:P/I:P/A:PExploitability: 8.6 | Impact: 6.4

Affected Packages3 packages

▶NVDpostgresql/postgresql8.2 — 8.2.14+1

▶NVDsuse/linux_enterprise_server9

▶NVDopensuse/opensuse10.3 — 11.1

Also affects: Fedora 10, 11, Linux Enterprise 10.0, 11.0, Ubuntu Linux 6.06, 8.04, 8.10, 9.04

Patches

Patch: bugzilla.redhat.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-gx42-wp82-42x7: The core server component in PostgreSQL 8↗2022-05-02

▶

CVEList

CVE-2009-3231: The core server component in PostgreSQL 8↗2009-09-17

▶

📋Vendor Advisories

Ubuntu

PostgreSQL vulnerabilities↗2009-09-21

▶

Red Hat

postgresql: LDAP authentication bypass when anonymous LDAP bind are allowed↗2009-09-09

▶

💬Community

Bugzilla

CVE-2009-3231 postgresql: LDAP authentication bypass when anonymous LDAP bind are allowed↗2009-09-09

▶