pepelyaevip/vuln-list-alt
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
1832c75415
vuln-list-alt/oval/c9f2/ALT-PU-2023-6629/definitions.json
pepelyaevip 9e8a5a2bb2 ALT Vulnerability
2024-02-14 09:47:22 +00:00

258 lines
13 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{
"Definition": [
{
"ID": "oval:org.altlinux.errata:def:20236629",
"Version": "oval:org.altlinux.errata:def:20236629",
"Class": "patch",
"Metadata": {
"Title": "ALT-PU-2023-6629: package `postgresql12-1C` update to version 12.15-alt0.M90P.1",
"AffectedList": [
{
"Family": "unix",
"Platforms": [
"ALT Linux branch c9f2"
],
"Products": [
"ALT SPWorkstation",
"ALT SPServer"
]
}
],
"References": [
{
"RefID": "ALT-PU-2023-6629",
"RefURL": "https://errata.altlinux.org/ALT-PU-2023-6629",
"Source": "ALTPU"
},
{
"RefID": "BDU:2022-04971",
"RefURL": "https://bdu.fstec.ru/vul/2022-04971",
"Source": "BDU"
},
{
"RefID": "BDU:2023-02003",
"RefURL": "https://bdu.fstec.ru/vul/2023-02003",
"Source": "BDU"
},
{
"RefID": "BDU:2023-03024",
"RefURL": "https://bdu.fstec.ru/vul/2023-03024",
"Source": "BDU"
},
{
"RefID": "BDU:2023-03247",
"RefURL": "https://bdu.fstec.ru/vul/2023-03247",
"Source": "BDU"
},
{
"RefID": "BDU:2023-04767",
"RefURL": "https://bdu.fstec.ru/vul/2023-04767",
"Source": "BDU"
},
{
"RefID": "CVE-2021-43767",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2021-43767",
"Source": "CVE"
},
{
"RefID": "CVE-2022-1552",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2022-1552",
"Source": "CVE"
},
{
"RefID": "CVE-2022-2625",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2022-2625",
"Source": "CVE"
},
{
"RefID": "CVE-2022-41862",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2022-41862",
"Source": "CVE"
},
{
"RefID": "CVE-2023-2454",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-2454",
"Source": "CVE"
},
{
"RefID": "CVE-2023-2455",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-2455",
"Source": "CVE"
},
{
"RefID": "CVE-2023-39417",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2023-39417",
"Source": "CVE"
}
],
"Description": "This update upgrades postgresql12-1C to version 12.15-alt0.M90P.1. \nSecurity Fix(es):\n\n * BDU:2022-04971: Уязвимость системы управления базами данных PostgreSQL, связанная с ошибками при использовании команд OR расширениями, позволяющая нарушителю повысить свои привилегии и заменить произвольные объекты в базе данных\n\n * BDU:2023-02003: Уязвимость системы управления базами данных PostgreSQL, связанная с раскрытием информации, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации\n\n * BDU:2023-03024: Уязвимость компонента Schema Handler системы управления базами данных PostgreSQL, позволяющая нарушителю обойти ограничения безопасности\n\n * BDU:2023-03247: Уязвимость системы управления базами данных PostgreSQL, связанная с недостатками разграничения доступа, позволяющая нарушителю повысить свои привилегии и выполнить произвольный код\n\n * BDU:2023-04767: Уязвимость системы управления базами данных PostgreSQL, связанная с возможностью SQL-инъекций в расширениях, позволяющая нарушителю выполнять произвольный SQL-запрос к базе данных\n\n * CVE-2021-43767: Odyssey passes to client unencrypted bytes from man-in-the-middle When Odyssey storage is configured to use the PostgreSQL server using 'trust' authentication with a 'clientcert' requirement or to use 'cert' authentication, a man-in-the-middle attacker can inject false responses to the client's first few queries. Despite the use of SSL certificate verification and encryption, Odyssey will pass these results to client as if they originated from valid server. This is similar to CVE-2021-23222 for PostgreSQL.\n\n * CVE-2022-1552: A flaw was found in PostgreSQL. There is an issue with incomplete efforts to operate safely when a privileged user is maintaining another user's objects. The Autovacuum, REINDEX, CREATE INDEX, REFRESH MATERIALIZED VIEW, CLUSTER, and pg_amcheck commands activated relevant protections too late or not at all during the process. This flaw allows an attacker with permission to create non-temporary objects in at least one schema to execute arbitrary SQL functions under a superuser identity.\n\n * CVE-2022-2625: A vulnerability was found in PostgreSQL. This attack requires permission to create non-temporary objects in at least one schema, the ability to lure or wait for an administrator to create or update an affected extension in that schema, and the ability to lure or wait for a victim to use the object targeted in CREATE OR REPLACE or CREATE IF NOT EXISTS. Given all three prerequisites, this flaw allows an attacker to run arbitrary code as the victim role, which may be a superuser.\n\n * CVE-2022-41862: In PostgreSQL, a modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. In certain conditions a server can cause a libpq client to over-read and report an error message containing uninitialized bytes.\n\n * CVE-2023-2454: schema_element defeats protective search_path changes; It was found that certain database calls in PostgreSQL could permit an authed attacker with elevated database-level privileges to execute arbitrary code.\n\n * CVE-2023-2455: Row security policies disregard user ID changes after inlining; PostgreSQL could permit incorrect policies to be applied in certain cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy.\n\n * CVE-2023-39417: IN THE EXTENSION SCRIPT, a SQL Injection vulnerability was found in PostgreSQL if it uses @extowner@, @extschema@, or @extschema:...@ inside a quoting construct (dollar quoting, '', or \"\"). If an administrator has installed files of a vulnerable, trusted, non-bundled extension, an attacker with database-level CREATE privilege can execute arbitrary code as the bootstrap superuser.",
"Advisory": {
"From": "errata.altlinux.org",
"Severity": "High",
"Rights": "Copyright 2024 BaseALT Ltd.",
"Issued": {
"Date": "2023-11-01"
},
"Updated": {
"Date": "2023-11-01"
},
"bdu": [
{
"Cvss": "AV:N/AC:L/Au:S/C:C/I:C/A:C",
"Cvss3": "AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"Cwe": "CWE-264",
"Href": "https://bdu.fstec.ru/vul/2022-04971",
"Impact": "High",
"Public": "20220811",
"CveID": "BDU:2022-04971"
},
{
"Cvss": "AV:N/AC:H/Au:N/C:P/I:N/A:N",
"Cvss3": "AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"Cwe": "CWE-125, CWE-200",
"Href": "https://bdu.fstec.ru/vul/2023-02003",
"Impact": "Low",
"Public": "20230209",
"CveID": "BDU:2023-02003"
},
{
"Cvss": "AV:N/AC:H/Au:S/C:P/I:P/A:N",
"Cvss3": "AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N",
"Cwe": "CWE-254",
"Href": "https://bdu.fstec.ru/vul/2023-03024",
"Impact": "Low",
"Public": "20230511",
"CveID": "BDU:2023-03024"
},
{
"Cvss": "AV:N/AC:L/Au:M/C:C/I:C/A:C",
"Cvss3": "AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"Cwe": "CWE-264",
"Href": "https://bdu.fstec.ru/vul/2023-03247",
"Impact": "High",
"Public": "20230511",
"CveID": "BDU:2023-03247"
},
{
"Cvss": "AV:N/AC:H/Au:S/C:C/I:C/A:C",
"Cvss3": "AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"Cwe": "CWE-89",
"Href": "https://bdu.fstec.ru/vul/2023-04767",
"Impact": "High",
"Public": "20230801",
"CveID": "BDU:2023-04767"
}
],
"Cves": [
{
"Cvss3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N",
"Cwe": "CWE-295",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2021-43767",
"Impact": "Low",
"Public": "20220825",
"CveID": "CVE-2021-43767"
},
{
"Cvss3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"Cwe": "CWE-459",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2022-1552",
"Impact": "High",
"Public": "20220831",
"CveID": "CVE-2022-1552"
},
{
"Cvss3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"Cwe": "CWE-1321",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2022-2625",
"Impact": "High",
"Public": "20220818",
"CveID": "CVE-2022-2625"
},
{
"Cvss3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"Cwe": "NVD-CWE-noinfo",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2022-41862",
"Impact": "Low",
"Public": "20230303",
"CveID": "CVE-2022-41862"
},
{
"Cvss3": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"Cwe": "NVD-CWE-noinfo",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-2454",
"Impact": "High",
"Public": "20230609",
"CveID": "CVE-2023-2454"
},
{
"Cvss3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"Cwe": "NVD-CWE-noinfo",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-2455",
"Impact": "Low",
"Public": "20230609",
"CveID": "CVE-2023-2455"
},
{
"Cvss3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"Cwe": "CWE-89",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2023-39417",
"Impact": "High",
"Public": "20230811",
"CveID": "CVE-2023-39417"
}
],
"AffectedCpeList": {
"Cpe": [
"cpe:/o:alt:spworkstation:8.4",
"cpe:/o:alt:spserver:8.4"
]
}
}
},
"Criteria": {
"Operator": "AND",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:3001",
"Comment": "ALT Linux must be installed"
}
],
"Criterias": [
{
"Operator": "OR",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:20236629001",
"Comment": "postgresql12-1C is earlier than 0:12.15-alt0.M90P.1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20236629002",
"Comment": "postgresql12-1C-contrib is earlier than 0:12.15-alt0.M90P.1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20236629003",
"Comment": "postgresql12-1C-docs is earlier than 0:12.15-alt0.M90P.1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20236629004",
"Comment": "postgresql12-1C-perl is earlier than 0:12.15-alt0.M90P.1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20236629005",
"Comment": "postgresql12-1C-python is earlier than 0:12.15-alt0.M90P.1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20236629006",
"Comment": "postgresql12-1C-server is earlier than 0:12.15-alt0.M90P.1"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20236629007",
"Comment": "postgresql12-1C-tcl is earlier than 0:12.15-alt0.M90P.1"
}
]
}
]
}
}
]
}
Reference in New Issue View Git Blame Copy Permalink