CVE-2009-3230

The core server component in PostgreSQL 8.4 before 8.4.1, 8.3 before 8.3.8, 8.2 before 8.2.14, 8.1 before 8.1.18, 8.0 before 8.0.22, and 7.4 before 7.4.26 does not use the appropriate privileges for the (1) RESET ROLE and (2) RESET SESSION AUTHORIZATION operations, which allows remote authenticated users to gain privileges. NOTE: this is due to an incomplete fix for CVE-2007-6600.

Affected Software

Name	Vendor	Start Version	End Version
Postgresql	Postgresql	7.4 (including)	7.4 (including)
Postgresql	Postgresql	7.4.1 (including)	7.4.1 (including)
Postgresql	Postgresql	7.4.2 (including)	7.4.2 (including)
Postgresql	Postgresql	7.4.3 (including)	7.4.3 (including)
Postgresql	Postgresql	7.4.4 (including)	7.4.4 (including)
Postgresql	Postgresql	7.4.5 (including)	7.4.5 (including)
Postgresql	Postgresql	7.4.6 (including)	7.4.6 (including)
Postgresql	Postgresql	7.4.7 (including)	7.4.7 (including)
Postgresql	Postgresql	7.4.8 (including)	7.4.8 (including)
Postgresql	Postgresql	7.4.9 (including)	7.4.9 (including)
Postgresql	Postgresql	7.4.10 (including)	7.4.10 (including)
Postgresql	Postgresql	7.4.11 (including)	7.4.11 (including)
Postgresql	Postgresql	7.4.12 (including)	7.4.12 (including)
Postgresql	Postgresql	7.4.13 (including)	7.4.13 (including)
Postgresql	Postgresql	7.4.14 (including)	7.4.14 (including)
Postgresql	Postgresql	7.4.15 (including)	7.4.15 (including)
Postgresql	Postgresql	7.4.16 (including)	7.4.16 (including)
Postgresql	Postgresql	7.4.17 (including)	7.4.17 (including)
Postgresql	Postgresql	7.4.18 (including)	7.4.18 (including)
Postgresql	Postgresql	7.4.19 (including)	7.4.19 (including)
Postgresql	Postgresql	7.4.20 (including)	7.4.20 (including)
Postgresql	Postgresql	7.4.21 (including)	7.4.21 (including)
Postgresql	Postgresql	7.4.22 (including)	7.4.22 (including)
Postgresql	Postgresql	7.4.23 (including)	7.4.23 (including)
Postgresql	Postgresql	7.4.24 (including)	7.4.24 (including)
Postgresql	Postgresql	7.4.25 (including)	7.4.25 (including)
Postgresql	Postgresql	8.0 (including)	8.0 (including)
Postgresql	Postgresql	8.0.1 (including)	8.0.1 (including)
Postgresql	Postgresql	8.0.2 (including)	8.0.2 (including)
Postgresql	Postgresql	8.0.3 (including)	8.0.3 (including)
Postgresql	Postgresql	8.0.4 (including)	8.0.4 (including)
Postgresql	Postgresql	8.0.5 (including)	8.0.5 (including)
Postgresql	Postgresql	8.0.6 (including)	8.0.6 (including)
Postgresql	Postgresql	8.0.7 (including)	8.0.7 (including)
Postgresql	Postgresql	8.0.8 (including)	8.0.8 (including)
Postgresql	Postgresql	8.0.9 (including)	8.0.9 (including)
Postgresql	Postgresql	8.0.10 (including)	8.0.10 (including)
Postgresql	Postgresql	8.0.11 (including)	8.0.11 (including)
Postgresql	Postgresql	8.0.12 (including)	8.0.12 (including)
Postgresql	Postgresql	8.0.13 (including)	8.0.13 (including)
Postgresql	Postgresql	8.0.14 (including)	8.0.14 (including)
Postgresql	Postgresql	8.0.15 (including)	8.0.15 (including)
Postgresql	Postgresql	8.0.16 (including)	8.0.16 (including)
Postgresql	Postgresql	8.0.17 (including)	8.0.17 (including)
Postgresql	Postgresql	8.0.18 (including)	8.0.18 (including)
Postgresql	Postgresql	8.0.19 (including)	8.0.19 (including)
Postgresql	Postgresql	8.0.20 (including)	8.0.20 (including)
Postgresql	Postgresql	8.0.21 (including)	8.0.21 (including)
Postgresql	Postgresql	8.1 (including)	8.1 (including)
Postgresql	Postgresql	8.1.1 (including)	8.1.1 (including)
Postgresql	Postgresql	8.1.2 (including)	8.1.2 (including)
Postgresql	Postgresql	8.1.3 (including)	8.1.3 (including)
Postgresql	Postgresql	8.1.4 (including)	8.1.4 (including)
Postgresql	Postgresql	8.1.5 (including)	8.1.5 (including)
Postgresql	Postgresql	8.1.6 (including)	8.1.6 (including)
Postgresql	Postgresql	8.1.7 (including)	8.1.7 (including)
Postgresql	Postgresql	8.1.8 (including)	8.1.8 (including)
Postgresql	Postgresql	8.1.9 (including)	8.1.9 (including)
Postgresql	Postgresql	8.1.10 (including)	8.1.10 (including)
Postgresql	Postgresql	8.1.11 (including)	8.1.11 (including)
Postgresql	Postgresql	8.1.12 (including)	8.1.12 (including)
Postgresql	Postgresql	8.1.13 (including)	8.1.13 (including)
Postgresql	Postgresql	8.1.14 (including)	8.1.14 (including)
Postgresql	Postgresql	8.1.15 (including)	8.1.15 (including)
Postgresql	Postgresql	8.1.16 (including)	8.1.16 (including)
Postgresql	Postgresql	8.2 (including)	8.2 (including)
Postgresql	Postgresql	8.2.1 (including)	8.2.1 (including)
Postgresql	Postgresql	8.2.2 (including)	8.2.2 (including)
Postgresql	Postgresql	8.2.3 (including)	8.2.3 (including)
Postgresql	Postgresql	8.2.4 (including)	8.2.4 (including)
Postgresql	Postgresql	8.2.5 (including)	8.2.5 (including)
Postgresql	Postgresql	8.2.6 (including)	8.2.6 (including)
Postgresql	Postgresql	8.2.7 (including)	8.2.7 (including)
Postgresql	Postgresql	8.2.8 (including)	8.2.8 (including)
Postgresql	Postgresql	8.2.9 (including)	8.2.9 (including)
Postgresql	Postgresql	8.2.10 (including)	8.2.10 (including)
Postgresql	Postgresql	8.2.11 (including)	8.2.11 (including)
Postgresql	Postgresql	8.2.12 (including)	8.2.12 (including)
Postgresql	Postgresql	8.2.13 (including)	8.2.13 (including)
Postgresql	Postgresql	8.3.1 (including)	8.3.1 (including)
Postgresql	Postgresql	8.3.2 (including)	8.3.2 (including)
Postgresql	Postgresql	8.3.3 (including)	8.3.3 (including)
Postgresql	Postgresql	8.3.4 (including)	8.3.4 (including)
Postgresql	Postgresql	8.3.5 (including)	8.3.5 (including)
Postgresql	Postgresql	8.3.6 (including)	8.3.6 (including)
Postgresql	Postgresql	8.3.7 (including)	8.3.7 (including)
Postgresql	Postgresql	8.4 (including)	8.4 (including)
Red Hat Enterprise Linux 3	RedHat	rh-postgresql-0:7.3.21-2	*
Red Hat Enterprise Linux 4	RedHat	postgresql-0:7.4.26-1.el4_8.1	*
Red Hat Enterprise Linux 5	RedHat	postgresql-0:8.1.18-2.el5_4.1	*
Postgresql-8.1	Ubuntu	dapper	*
Postgresql-8.1	Ubuntu	upstream	*
Postgresql-8.3	Ubuntu	hardy	*
Postgresql-8.3	Ubuntu	intrepid	*
Postgresql-8.3	Ubuntu	jaunty	*
Postgresql-8.3	Ubuntu	upstream	*

NVD	https://nvd.nist.gov/vuln/detail/CVE-2009-3230
CWE	https://cwe.mitre.org/data/definitions/264.html

Affected Software

References