PostgreSQL CVE-2016-5424 Multiple Local Privilege Escalation Vulnerabilities

PostgreSQL is prone to multiple local privilege-escalation vulnerabilities.

Local attackers can exploit these issues to gain elevated privileges.

Information

Bugtraq ID: 92435
Class: Design Error
CVE: CVE-2016-5424

Remote: No
Local: Yes
Published: Aug 04 2016 12:00AM
Updated: Apr 17 2017 05:07PM
Credit: The vendor reported this issue.
Vulnerable: SuSE Linux Enterprise Software Development Kit 12 SP1
SuSE Linux Enterprise Software Development Kit 11 SP4
SuSE Linux Enterprise Server for SAP 12
SuSE Linux Enterprise Server 12-LTSS
SuSE Linux Enterprise Server 12 SP1
SuSE Linux Enterprise Server 11 SP4
SuSE Linux Enterprise Desktop 12 SP1
SuSE Linux Enterprise Debuginfo 11 SP4
S.u.S.E. openSUSE 13.2
Redhat Software Collections 1 for RHEL 7 0
Redhat Software Collections 1 for RHEL 6 0
PostgreSQL PostgreSQL 9.5.1
PostgreSQL PostgreSQL 9.5
PostgreSQL PostgreSQL 9.4.6
PostgreSQL PostgreSQL 9.4.5
PostgreSQL PostgreSQL 9.4.4
PostgreSQL PostgreSQL 9.4.3
PostgreSQL PostgreSQL 9.4.2
PostgreSQL PostgreSQL 9.4.1
PostgreSQL PostgreSQL 9.3.11
PostgreSQL PostgreSQL 9.3.10
PostgreSQL PostgreSQL 9.3.9
PostgreSQL PostgreSQL 9.3.8
PostgreSQL PostgreSQL 9.3.7
PostgreSQL PostgreSQL 9.3.6
PostgreSQL PostgreSQL 9.3.5
PostgreSQL PostgreSQL 9.3.4
PostgreSQL PostgreSQL 9.3.3
PostgreSQL PostgreSQL 9.3.2
PostgreSQL PostgreSQL 9.2.15
PostgreSQL PostgreSQL 9.2.14
PostgreSQL PostgreSQL 9.2.13
PostgreSQL PostgreSQL 9.2.12
PostgreSQL PostgreSQL 9.2.11
PostgreSQL PostgreSQL 9.2.10
PostgreSQL PostgreSQL 9.2.8
PostgreSQL PostgreSQL 9.2.7
PostgreSQL PostgreSQL 9.2.6
PostgreSQL PostgreSQL 9.2.5
PostgreSQL PostgreSQL 9.2.3
PostgreSQL PostgreSQL 9.1.20
PostgreSQL PostgreSQL 9.1.19
PostgreSQL PostgreSQL 9.1.18
PostgreSQL PostgreSQL 9.1.17
PostgreSQL PostgreSQL 9.1.16
PostgreSQL PostgreSQL 9.1.15
PostgreSQL PostgreSQL 9.1.14
PostgreSQL PostgreSQL 9.1.13
PostgreSQL PostgreSQL 9.1.12
PostgreSQL PostgreSQL 9.1.11
PostgreSQL PostgreSQL 9.1.8
PostgreSQL PostgreSQL 9.1.3
PostgreSQL PostgreSQL 9.5.2
PostgreSQL PostgreSQL 9.4.1-1
PostgreSQL PostgreSQL 9.4
PostgreSQL PostgreSQL 9.3.1
PostgreSQL PostgreSQL 9.3
PostgreSQL PostgreSQL 9.2.4-1
PostgreSQL PostgreSQL 9.2.4
PostgreSQL PostgreSQL 9.2.2-1
PostgreSQL PostgreSQL 9.2.2
PostgreSQL PostgreSQL 9.2.1
PostgreSQL PostgreSQL 9.2
PostgreSQL PostgreSQL 9.1.9-1
PostgreSQL PostgreSQL 9.1.9
PostgreSQL PostgreSQL 9.1.7
PostgreSQL PostgreSQL 9.1.6
PostgreSQL PostgreSQL 9.1.5
PostgreSQL PostgreSQL 9.1.4
PostgreSQL PostgreSQL 9.1.2
PostgreSQL PostgreSQL 9.1.11-2
PostgreSQL PostgreSQL 9.1.10
PostgreSQL PostgreSQL 9.1.1
PostgreSQL PostgreSQL 9.1
openSUSE Leap 42.2
openSUSE Leap 42.1
Gentoo Linux

Not Vulnerable: PostgreSQL PostgreSQL 9.5.4
PostgreSQL PostgreSQL 9.4.9
PostgreSQL PostgreSQL 9.3.14
PostgreSQL PostgreSQL 9.2.18
PostgreSQL PostgreSQL 9.1.23

References:

• 2016-08-11 Security Update Release (postgresql.org)
  
• Bug 1364002 - (CVE-2016-5424) CVE-2016-5424 postgresql: privilege escalation via (Red Hat Bugzilla)
  
• Obstruct shell, SQL, and conninfo injection via database and role names. (PostgreSQL)
  
• PostgreSQL Homepage (PostgreSQL)
  
• RHSA-2016:1781: rh-postgresql94-postgresql security update (Redhat)
  

Source: www.securityfocus.com