CVE-2010-3781

Description

The PL/php add-on 1.4 and earlier for PostgreSQL does not properly protect script execution by a different SQL user identity within the same session, which allows remote authenticated users to gain privileges via crafted script code in a SECURITY DEFINER function, a related issue to CVE-2010-3433.

Affected products

• alvaro_herrera / pl/php1.4
• alvaro_herrera / pl/php1.0 – 1.0
• alvaro_herrera / pl/php1.1 – 1.1
• alvaro_herrera / pl/php1.2 – 1.2
• alvaro_herrera / pl/php1.3.1 – 1.3.1
• alvaro_herrera / pl/php1.3.2 – 1.3.2
• alvaro_herrera / pl/php1.3.3 – 1.3.3
• alvaro_herrera / pl/php1.3.5 – 1.3.5

References

• MISChttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6645
• MISChttp://www.postgresql.org/docs/9.0/static/release-9-0-1.html
• MISChttp://www.postgresql.org/about/news.1244