NVD Vulnerability Detail

CVE-2013-1901

Summary	PostgreSQL 9.2.x before 9.2.4 and 9.1.x before 9.1.9 does not properly check REPLICATION privileges, which allows remote authenticated users to bypass intended backup restrictions by calling the (1) pg_start_backup or (2) pg_stop_backup functions.
Publication Date	April 5, 2013, 2:55 a.m.
Registration Date	Jan. 26, 2021, 3:37 p.m.
Last Update	Nov. 21, 2024, 10:50 a.m.

CVSS2.0 : MEDIUM
Score	4.0
Vector	AV:N/AC:L/Au:S/C:N/I:P/A:N
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	低
攻撃前の認証要否(Au)	単一
機密性への影響(C)	なし
完全性への影響(I)	低
可用性への影響(A)	なし
Get all privileges.	いいえ
Get user privileges	いいえ
Get other privileges	いいえ
User operation required	いいえ

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:postgresql:postgresql:9.2.1:::::::*
cpe:2.3:a:postgresql:postgresql:9.2.3:::::::*
cpe:2.3:a:postgresql:postgresql:9.2:::::::*
cpe:2.3:a:postgresql:postgresql:9.2.2:::::::*

Configuration2	or higher	or less	more than	less than
cpe:2.3:a:postgresql:postgresql:9.1.4:::::::*
cpe:2.3:a:postgresql:postgresql:9.1:::::::*
cpe:2.3:a:postgresql:postgresql:9.1.5:::::::*
cpe:2.3:a:postgresql:postgresql:9.1.8:::::::*
cpe:2.3:a:postgresql:postgresql:9.1.2:::::::*
cpe:2.3:a:postgresql:postgresql:9.1.6:::::::*
cpe:2.3:a:postgresql:postgresql:9.1.7:::::::*
cpe:2.3:a:postgresql:postgresql:9.1.3:::::::*
cpe:2.3:a:postgresql:postgresql:9.1.1:::::::*

Configuration3	or higher	or less	more than	less than
cpe:2.3:o:canonical:ubuntu_linux:8.04:-:lts:::::*
cpe:2.3:o:canonical:ubuntu_linux:11.10:::::::*
cpe:2.3:o:canonical:ubuntu_linux:12.10:::::::*
cpe:2.3:o:canonical:ubuntu_linux:12.04:-:lts:::::*
cpe:2.3:o:canonical:ubuntu_linux:10.04:-:lts:::::*

Related information, measures and tools

No	URL	タグ
1	http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html
2	http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html
3	http://lists.apple.com/archives/security-announce/2013/Sep/msg00004.html
4	http://lists.apple.com/archives/security-announce/2013/Sep/msg00004.html
5	http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101519.html
6	http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101519.html
7	http://lists.fedoraproject.org/pipermail/package-announce/2013-April/102806.html
8	http://lists.fedoraproject.org/pipermail/package-announce/2013-April/102806.html
9	http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00007.html
10	http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00007.html
11	http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00008.html
12	http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00008.html
13	http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00011.html
14	http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00011.html
15	http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00012.html
16	http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00012.html
17	http://support.apple.com/kb/HT5880
18	http://support.apple.com/kb/HT5880
19	http://support.apple.com/kb/HT5892
20	http://support.apple.com/kb/HT5892
21	http://www.debian.org/security/2013/dsa-2658
22	http://www.debian.org/security/2013/dsa-2658
23	http://www.mandriva.com/security/advisories?name=MDVSA-2013:142
24	http://www.mandriva.com/security/advisories?name=MDVSA-2013:142
25	http://www.postgresql.org/about/news/1456/	Vendor Advisory
26	http://www.postgresql.org/about/news/1456/	Vendor Advisory
27	http://www.postgresql.org/docs/current/static/release-9-1-9.html
28	http://www.postgresql.org/docs/current/static/release-9-1-9.html
29	http://www.postgresql.org/docs/current/static/release-9-2-4.html
30	http://www.postgresql.org/docs/current/static/release-9-2-4.html
31	http://www.ubuntu.com/usn/USN-1789-1
32	http://www.ubuntu.com/usn/USN-1789-1

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-264	認可・権限・アクセス制御	https://cwe.mitre.org/data/definitions/264.html

JVN Vulnerability Information

PostgreSQL におけるバックアップ制限を回避される脆弱性

Title	PostgreSQL におけるバックアップ制限を回避される脆弱性
Summary	PostgreSQL は、REPLICATION 権限を適切にチェックしないため、バックアップ制限を回避される脆弱性が存在します。
Possible impacts	リモート認証されたユーザにより、(1) pg_start_backup 関数または (2) pg_stop_backup 関数を呼び出されることで、バックアップ制限を回避される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	April 4, 2013, midnight
Registration Date	April 5, 2013, 2:25 p.m.
Last Update	Dec. 4, 2013, 6:13 p.m.

Affected System

PostgreSQL.org

PostgreSQL 9.19 未満の 9.1.x

PostgreSQL 9.24 未満の 9.2.x

アップル

Apple Mac OS X v10.7.5

Apple Mac OS X v10.8 から v10.8.4

Apple Mac OS X Server v10.7.5

macOS Server (旧 OS X Server) v2.2.2 未満 (Apple Mac OS X v10.8 以降)

Canonical

Ubuntu 10.04 LTS

Ubuntu 11.10

Ubuntu 12.04 LTS

Ubuntu 12.10

Ubuntu 8.04 LTS

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2013-1901	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1901
National Vulnerability Database (NVD)
2	CVE-2013-1901	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1901

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-264	https://jvndb.jvn.jp/ja/cwe/CWE-264.html

ベンダー情報

No	Name	URL
Apple Mailing Lists
1	APPLE-SA-2013-09-12-1	http://lists.apple.com/archives/security-announce/2013/Sep/msg00002.html
2	APPLE-SA-2013-09-17-1	http://lists.apple.com/archives/security-announce/2013/Sep/msg00004.html
Apple Security Updates
3	HT5880	http://support.apple.com/kb/HT5880
4	HT5892	http://support.apple.com/kb/HT5892
Apple セキュリティアップデート
5	HT5880	http://support.apple.com/kb/HT5880?viewlocale=ja_JP
6	HT5892	http://support.apple.com/kb/HT5892?viewlocale=ja_JP
Debian セキュリティ勧告
7	DSA-2658	http://www.debian.org/security/2013/dsa-2658
Fedora Update Notification
8	FEDORA-2013-5000	http://lists.fedoraproject.org/pipermail/package-announce/2013-April/101519.html
9	FEDORA-2013-6148	http://lists.fedoraproject.org/pipermail/package-announce/2013-April/102806.html
opensuse-security-announce
10	openSUSE-SU-2013:0627	http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00007.html
11	openSUSE-SU-2013:0628	http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00008.html
12	openSUSE-SU-2013:0635	http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00012.html
13	SUSE-SU-2013:0633	http://lists.opensuse.org/opensuse-security-announce/2013-04/msg00011.html
PostgreSQL NEWS
14	PostgreSQL 9.2.4, 9.1.9, 9.0.13 and 8.4.17 released	http://www.postgresql.org/about/news/1456/
PostgreSQL Release Notes
15	Release 9.1.9	http://www.postgresql.org/docs/current/static/release-9-1-9.html
16	Release 9.2.4	http://www.postgresql.org/docs/current/static/release-9-2-4.html
Security Advisories
17	MDVSA-2013:142	http://www.mandriva.com/security/advisories?name=MDVSA-2013:142
Ubuntu Security Notice
18	USN-1789-1	http://www.ubuntu.com/usn/USN-1789-1/

Change Log

No	Changed Details	Date of change
0	[2013年04月05日] 掲載 [2013年10月09日] 影響を受けるシステム：アップル (HT5880) の情報を追加影響を受けるシステム：アップル (HT5892) の情報を追加ベンダ情報：アップル (HT5880) を追加ベンダ情報：アップル (HT5892) を追加ベンダ情報：アップル (APPLE-SA-2013-09-17-1) を追加ベンダ情報：アップル (APPLE-SA-2013-09-12-1) を追加 [2013年12月04日] ベンダ情報：Debian (DSA-2658) を追加ベンダ情報：Fedora Project (FEDORA-2013-5000) を追加ベンダ情報：Fedora Project (FEDORA-2013-6148) を追加ベンダ情報：Mandriva, Inc. (MDVSA-2013:142) を追加ベンダ情報：Novell (openSUSE-SU-2013:0627) を追加ベンダ情報：Novell (openSUSE-SU-2013:0628) を追加ベンダ情報：Novell (SUSE-SU-2013:0633) を追加ベンダ情報：Novell (openSUSE-SU-2013:0635) を追加	Feb. 17, 2018, 10:37 a.m.

Configuration2	or higher	or less	more than	less than
cpe:2.3:a:postgresql:postgresql:9.1.4:::::::*
cpe:2.3:a:postgresql:postgresql:9.1:::::::*
cpe:2.3:a:postgresql:postgresql:9.1.5:::::::*
cpe:2.3:a:postgresql:postgresql:9.1.8:::::::*
cpe:2.3:a:postgresql:postgresql:9.1.2:::::::*
cpe:2.3:a:postgresql:postgresql:9.1.6:::::::*
cpe:2.3:a:postgresql:postgresql:9.1.7:::::::*
cpe:2.3:a:postgresql:postgresql:9.1.3:::::::*
cpe:2.3:a:postgresql:postgresql:9.1.1:::::::*