CVE-2016-1255 — Link Following in Postgresql-common

CWE-59 — Link Following7 documents5 sources

Severity

7.8HIGHNVD

EPSS

0.0%

top 89.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Postgresql-common

Timeline

PublishedDec 5

Latest updateMay 17

Description

The pg_ctlcluster script in postgresql-common package in Debian wheezy before 134wheezy5, in Debian jessie before 165+deb8u2, in Debian unstable before 178, in Ubuntu 12.04 LTS before 129ubuntu1.2, in Ubuntu 14.04 LTS before 154ubuntu1.1, in Ubuntu 16.04 LTS before 173ubuntu0.1, in Ubuntu 17.04 before 179ubuntu0.1, and in Ubuntu 17.10 before 184ubuntu1.1 allows local users to gain root privileges via a symlink attack on a logfile in /var/log/postgresql.

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages4 packages

▶debiandebian/postgresql-common< postgresql-common 178 (bookworm)

▶Debiandebian/postgresql-common< 178+3

▶Ubuntudebian/postgresql-common< 154ubuntu1.1+1

▶NVDdebian/postgresql-common184 versions+183

Patches

Patch: anonscm.debian.org ↗Patch: anonscm.debian.org ↗

🔴Vulnerability Details

GHSA

GHSA-67hr-wg4g-mjjv: The pg_ctlcluster script in postgresql-common package in Debian wheezy before 134wheezy5, in Debian jessie before 165+deb8u2, in Debian unstable befor↗2022-05-17

▶

OSV

CVE-2016-1255: The pg_ctlcluster script in postgresql-common package in Debian wheezy before 134wheezy5, in Debian jessie before 165+deb8u2, in Debian unstable befor↗2017-12-05

▶

OSV

postgresql-common vulnerabilities↗2017-11-09

▶

📋Vendor Advisories

Ubuntu

postgresql-common vulnerabilities↗2017-11-27

▶

Ubuntu

postgresql-common vulnerabilities↗2017-11-09

▶

Debian

CVE-2016-1255: postgresql-common - The pg_ctlcluster script in postgresql-common package in Debian wheezy before 13...↗2016

▶