pepelyaevip/vuln-list-alt
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
vuln-list-alt/oval/c9f2/ALT-PU-2023-6629/definitions.json

258 lines
13 KiB
JSON
Raw Normal View History

ALT Vulnerability
2024-01-10 07:45:25 +00:00
{
"Definition": [
{
"ID": "oval:org.altlinux.errata:def:20236629",
"Version": "oval:org.altlinux.errata:def:20236629",
"Class": "patch",
"Metadata": {
"Title": "ALT-PU-2023-6629: package `postgresql12-1C` update to version 12.15-alt0.M90P.1",
"AffectedList": [
{
"Family": "unix",
"Platforms": [
"ALT Linux branch c9f2"
],
"Products": [
"ALT SPWorkstation",
"ALT SPServer"
]
}
],
"References": [
{
"RefID": "ALT-PU-2023-6629",
"RefURL": "https://errata.altlinux.org/ALT-PU-2023-6629",
"Source": "ALTPU"
},
{
"RefID": "BDU:2022-04971",
"RefURL": "https://bdu.fstec.ru/vul/2022-04971",
"Source": "BDU"
},
{
"RefID": "BDU:2023-02003",
"RefURL": "https://bdu.fstec.ru/vul/2023-02003",
"Source": "BDU"
},
{
"RefID": "BDU:2023-03024",
"RefURL": "https://bdu.fstec.ru/vul/2023-03024",
"Source": "BDU"
},
{
"RefID": "BDU:2023-03247",
"RefURL": "https://bdu.fstec.ru/vul/2023-03247",
"Source": "BDU"
},
{
"RefID": "BDU:2023-04767",
"RefURL": "https://bdu.fstec.ru/vul/2023-04767",
"Source": "BDU"
},
{
"RefID": "CVE-2021-43767",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-43767",
"Source": "CVE"
},
{
"RefID": "CVE-2022-1552",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2022-1552",
"Source": "CVE"
},
{
"RefID": "CVE-2022-2625",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2022-2625",
"Source": "CVE"
},
{
"RefID": "CVE-2022-41862",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2022-41862",
"Source": "CVE"
},
{
"RefID": "CVE-2023-2454",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-2454",
"Source": "CVE"
},
{
"RefID": "CVE-2023-2455",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-2455",
"Source": "CVE"
},
{
"RefID": "CVE-2023-39417",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-39417",
"Source": "CVE"
}
],
"Description": "This update upgrades postgresql12-1C to version 12.15-alt0.M90P.1. \nSecurity Fix(es):\n\n * BDU:2022-04971: Уязвимость системы управления базами данных PostgreSQL, связанная с ошибками при использовании команд OR расширениями, позволяющая нарушителю повысить свои привилегии и заменить произвольные объекты в базе данных\n\n * BDU:2023-02003: Уязвимость системы управления базами данных PostgreSQL, связанная с раскрытием информации, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации\n\n * BDU:2023-03024: Уязвимость компонента Schema Handler системы управления базами данных PostgreSQL, позволяющая нарушителю обойти ограничения безопасности\n\n * BDU:2023-03247: Уязвимость системы управления базами данных PostgreSQL, связанная с недостатками разграничения доступа, позволяющая нарушителю повысить свои привилегии и выполнить произвольный код\n\n * BDU:2023-04767: Уязвимость системы управления базами данных PostgreSQL, связанная с возможностью SQL-инъекций в расширениях, позволяющая нарушителю выполнять произвольный SQL-запрос к базе данных\n\n * CVE-2021-43767: Odyssey passes to client unencrypted bytes from man-in-the-middle When Odyssey storage is configured to use the PostgreSQL server using 'trust' authentication with a 'clientcert' requirement or to use 'cert' authentication, a man-in-the-middle attacker can inject false responses to the client's first few queries. Despite the use of SSL certificate verification and encryption, Odyssey will pass these results to client as if they originated from valid server. This is similar to CVE-2021-23222 for PostgreSQL.\n\n * CVE-2022-1552: A flaw was found in PostgreSQL. There is an issue with incomplete efforts to operate safely when a privileged user is maintaining another user's objects. The Autovacuum, REINDEX, CREATE INDEX, REFRESH MATERIALIZED VIEW, CLUSTER, and pg_amcheck commands activated relevant protections too late or not at all during the process. This flaw allows an attacker with permission to create non-temporary objects in at least one schema to execute arbitrary SQL functions under a superuser identity.\n\n * CVE-2022-2625: A vulnerability was found in PostgreSQL. This attack requires permission to create non-temporary objects in at least one schema, the ability to lure or wait for an administrator to create or update an affected extension in that schema, and the ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or CREATE IF NOT EXISTS. Given all three prerequisites, this flaw allows an attacker to run arbitrary code as the victim role, which may be a superuser.\n\n * CVE-2022-41862: In PostgreSQL, a modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. In certain conditions a server can cause a libpq client to over-read and report an error message containing uninitialized bytes.\n\n * CVE-2023-2454: schema_element defeats protective search_path changes; It was found that certain database calls in PostgreSQL could permit an authed attacker with elevated database-level privileges to execute arbitrary code.\n\n * CVE-2023-2455: Row security policies disregard user ID changes after inlining; PostgreSQL could permit incorrect policies to be applied in certain cases where role-specific policies are used and a given query
"Advisory": {
"From": "errata.altlinux.org",
"Severity": "High",
ALT Vulnerability
2024-02-14 09:47:22 +00:00
"Rights": "Copyright 2024 BaseALT Ltd.",
ALT Vulnerability
2024-01-10 07:45:25 +00:00
"Issued": {
"Date": "2023-11-01"
},
"Updated": {
"Date": "2023-11-01"
},
"bdu": [
{
"Cvss": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"Cvss3": "AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"Cwe": "CWE-264",
"Href": "https://bdu.fstec.ru/vul/2022-04971",
"Impact": "High",
"Public": "20220811",
"CveID": "BDU:2022-04971"
},
{
"Cvss": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"Cvss3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"Cwe": "CWE-125, CWE-200",
"Href": "https://bdu.fstec.ru/vul/2023-02003",
"Impact": "Low",
"Public": "20230209",
"CveID": "BDU:2023-02003"
},
{
"Cvss": "AV:N/AC:H/Au:S/C:P/I:P/A:N",
"Cvss3": "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"Cwe": "CWE-254",
"Href": "https://bdu.fstec.ru/vul/2023-03024",
"Impact": "Low",
"Public": "20230511",
"CveID": "BDU:2023-03024"
},
{
"Cvss": "AV:N/AC:L/Au:M/C:C/I:C/A:C",
"Cvss3": "AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"Cwe": "CWE-264",
"Href": "https://bdu.fstec.ru/vul/2023-03247",
"Impact": "High",
"Public": "20230511",
"CveID": "BDU:2023-03247"
},
{
"Cvss": "AV:N/AC:H/Au:S/C:C/I:C/A:C",
"Cvss3": "AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"Cwe": "CWE-89",
"Href": "https://bdu.fstec.ru/vul/2023-04767",
"Impact": "High",
"Public": "20230801",
"CveID": "BDU:2023-04767"
}
],
"Cves": [
{
"Cvss3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"Cwe": "CWE-295",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-43767",
"Impact": "Low",
"Public": "20220825",
"CveID": "CVE-2021-43767"
},
{
"Cvss3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"Cwe": "CWE-459",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2022-1552",
"Impact": "High",
"Public": "20220831",
"CveID": "CVE-2022-1552"
},
{
"Cvss3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"Cwe": "CWE-1321",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2022-2625",
"Impact": "High",
"Public": "20220818",
"CveID": "CVE-2022-2625"
},
{
"Cvss3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"Cwe": "NVD-CWE-noinfo",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2022-41862",
"Impact": "Low",
"Public": "20230303",
"CveID": "CVE-2022-41862"
},
{
"Cvss3": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"Cwe": "NVD-CWE-noinfo",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-2454",
"Impact": "High",
"Public": "20230609",
"CveID": "CVE-2023-2454"
},
{
"Cvss3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"Cwe": "NVD-CWE-noinfo",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-2455",
"Impact": "Low",
"Public": "20230609",
"CveID": "CVE-2023-2455"
},
{
"Cvss3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"Cwe": "CWE-89",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-39417",
"Impact": "High",
"Public": "20230811",
"CveID": "CVE-2023-39417"
}
],
"AffectedCpeList": {
"Cpe": [
"cpe:/o:alt:spworkstation:8.4",
"cpe:/o:alt:spserver:8.4"
]
}
}
},
"Criteria": {
"Operator": "AND",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:3001",
"Comment": "ALT Linux must be installed"
}
],
"Criterias": [
{
"Operator": "OR",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:20236629001",
"Comment": "postgresql12-1C is earlier than 0:12.15-alt0.M90P.1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20236629002",
"Comment": "postgresql12-1C-contrib is earlier than 0:12.15-alt0.M90P.1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20236629003",
"Comment": "postgresql12-1C-docs is earlier than 0:12.15-alt0.M90P.1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20236629004",
"Comment": "postgresql12-1C-perl is earlier than 0:12.15-alt0.M90P.1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20236629005",
"Comment": "postgresql12-1C-python is earlier than 0:12.15-alt0.M90P.1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20236629006",
"Comment": "postgresql12-1C-server is earlier than 0:12.15-alt0.M90P.1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20236629007",
"Comment": "postgresql12-1C-tcl is earlier than 0:12.15-alt0.M90P.1"
}
]
}
]
}
}
]
}
Reference in New Issue Copy Permalink