CVE-2009-3231

The core server component in PostgreSQL 8.3 before 8.3.8 and 8.2 before 8.2.14, when using LDAP authentication with anonymous binds, allows remote attackers to bypass authentication via an empty password.

Weakness

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Affected Software

Name	Vendor	Start Version	End Version
Postgresql	Postgresql	8.2 (including)	8.2.14 (excluding)
Postgresql	Postgresql	8.3 (including)	8.3.8 (excluding)
Postgresql-8.3	Ubuntu	hardy	*
Postgresql-8.3	Ubuntu	intrepid	*
Postgresql-8.3	Ubuntu	jaunty	*
Postgresql-8.3	Ubuntu	upstream	*

Potential Mitigations

https://cwe.mitre.org/data/definitions/114.html
https://cwe.mitre.org/data/definitions/115.html
https://cwe.mitre.org/data/definitions/151.html
https://cwe.mitre.org/data/definitions/194.html
https://cwe.mitre.org/data/definitions/22.html
https://cwe.mitre.org/data/definitions/57.html
https://cwe.mitre.org/data/definitions/593.html
https://cwe.mitre.org/data/definitions/633.html
https://cwe.mitre.org/data/definitions/650.html
https://cwe.mitre.org/data/definitions/94.html

References

http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html
http://marc.info/?l=bugtraq\u0026m=134124585221119\u0026w=2
http://secunia.com/advisories/36660
http://secunia.com/advisories/36727
http://secunia.com/advisories/36800
http://secunia.com/advisories/36837
http://wiki.rpath.com/wiki/Advisories:rPSA-2010-0012
http://www.postgresql.org/docs/8.3/static/release-8-3-8.html
http://www.postgresql.org/support/security.html
http://www.securityfocus.com/archive/1/509917/100/0/threaded
http://www.securityfocus.com/bid/36314
http://www.ubuntu.com/usn/usn-834-1
http://www.us.debian.org/security/2009/dsa-1900
https://bugzilla.redhat.com/show_bug.cgi?id=522084
https://www.redhat.com/archives/fedora-package-announce/2009-September/msg00305.html
https://www.redhat.com/archives/fedora-package-announce/2009-September/msg00307.html
http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2009-10/msg00004.html
http://marc.info/?l=bugtraq\u0026m=134124585221119\u0026w=2
http://secunia.com/advisories/36660
http://secunia.com/advisories/36727
http://secunia.com/advisories/36800
http://secunia.com/advisories/36837
http://wiki.rpath.com/wiki/Advisories:rPSA-2010-0012
http://www.postgresql.org/docs/8.3/static/release-8-3-8.html
http://www.postgresql.org/support/security.html
http://www.securityfocus.com/archive/1/509917/100/0/threaded
http://www.securityfocus.com/bid/36314
http://www.ubuntu.com/usn/usn-834-1
http://www.us.debian.org/security/2009/dsa-1900
https://bugzilla.redhat.com/show_bug.cgi?id=522084
https://www.redhat.com/archives/fedora-package-announce/2009-September/msg00305.html
https://www.redhat.com/archives/fedora-package-announce/2009-September/msg00307.html

NVD	https://nvd.nist.gov/vuln/detail/CVE-2009-3231
CWE	https://cwe.mitre.org/data/definitions/287.html

Improper Authentication

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References