Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2012-1618

Overview

Vulnerability Score 7.5 7.5
CVE Id CVE-2012-1618
Last Modified 08 Oct 2012 12:00:00
Published 06 Oct 2012 06:55:01
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2012-1618

Summary

Interaction error in the PostgreSQL JDBC driver before 8.2, when used with a PostgreSQL server with the "standard_conforming_strings" option enabled, such as the default configuration of PostgreSQL 9.1, does not properly escape unspecified JDBC statement parameters, which allows remote attackers to perform SQL injection attacks. NOTE: as of 20120330, it was claimed that the upstream developer planned to dispute this issue, but an official dispute has not been posted as of 20121005.

Vulnerable Systems

Application

  • Postgresql 9.1

  • Postgresql Jdbc Driver 8.1


References

MISC - https://bugzilla.novell.com/show_bug.cgi?id=754273

OSVDB - 80641

MLIST - [oss-security] 20120404 Re: CVE DISPUTE notification: postgresql-jdbc: SQL injection due improper escaping of JDBC statement parameters

MLIST - [oss-security] 20120404 Re: Re: [JDBC] CVE DISPUTE notification: postgresql-jdbc: SQL injection due improper escaping of JDBC statement parameters

MLIST - [oss-security] 20120404 Re: Re: [pgsql-security] postgresql-jdbc 8.1 SQL injection with postgresql server 9.1

MLIST - [oss-security] 20120402 Re: [JDBC] CVE DISPUTE notification: postgresql-jdbc: SQL injection due improper escaping of JDBC statement parameters

MLIST - [oss-security] 20120331 SQL injection attack possible when connecting to PostgreSQL 9.1 with version 8.1 JDBC driver

MLIST - [oss-security] 20120330 postgresql-jdbc 8.1 SQL injection with postgresql server 9.1

MLIST - [oss-security] 20120330 CVE DISPUTE notification: postgresql-jdbc: SQL injection due improper escaping of JDBC statement parameters

MLIST - [opensuse-security] 20120325 SQL injection attack possible when connecting to PostgreSQL 9.1 with version 8.1 JDBC driver

BUGTRAQ - 20120325 SQL injection attack possible when connecting to PostgreSQL 9.1 with version 8.1 JDBC driver


Last Updated: 27 May 2016 11:00:54