Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Informations
Name CVE-2010-0442 First vendor Publication 2010-02-02
Vendor Cve Last vendor Modification 2023-02-24

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:S/C:P/I:P/A:P)
Cvss Base Score 6.5 Attack Range Network
Cvss Impact Score 6.4 Attack Complexity Low
Cvss Expoit Score 8 Authentication Requires single instance
Calculate full CVSS 2.0 Vectors scores

Detail

The bitsubstr function in backend/utils/adt/varbit.c in PostgreSQL 8.0.23, 8.1.11, and 8.3.8 allows remote authenticated users to cause a denial of service (daemon crash) or have unspecified other impact via vectors involving a negative integer in the third argument, as demonstrated by a SELECT statement that contains a call to the substring function for a bit string, related to an "overflow."

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0442

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-189 Numeric Errors (CWE/SANS Top 25)

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:13207
 
Oval ID: oval:org.mitre.oval:def:13207
Title: USN-933-1 -- postgresql-8.1, postgresql-8.3, postgresql-8.4 vulnerability
Description: It was discovered that PostgreSQL did not properly sanitize its input when using substring with a SELECT statement. A remote authenticated attacker could exploit this to cause a denial of service via application crash.
Family: unix Class: patch
Reference(s): USN-933-1
CVE-2010-0442
Version: 5
Platform(s): Ubuntu 8.04
Ubuntu 9.10
Ubuntu 6.06
Ubuntu 9.04
Product(s): postgresql-8.1
postgresql-8.3
postgresql-8.4
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:9720
 
Oval ID: oval:org.mitre.oval:def:9720
Title: The bitsubstr function in backend/utils/adt/varbit.c in PostgreSQL 8.0.23, 8.1.11, and 8.3.8 allows remote authenticated users to cause a denial of service (daemon crash) or have unspecified other impact via vectors involving a negative integer in the third argument, as demonstrated by a SELECT statement that contains a call to the substring function for a bit string, related to an "overflow."
Description: The bitsubstr function in backend/utils/adt/varbit.c in PostgreSQL 8.0.23, 8.1.11, and 8.3.8 allows remote authenticated users to cause a denial of service (daemon crash) or have unspecified other impact via vectors involving a negative integer in the third argument, as demonstrated by a SELECT statement that contains a call to the substring function for a bit string, related to an "overflow."
Family: unix Class: vulnerability
Reference(s): CVE-2010-0442
Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
Product(s):
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 205

OpenVAS Exploits

Date Description
2012-02-12 Name : Gentoo Security Advisory GLSA 201110-22 (postgresql-server postgresql-base)
File : nvt/glsa_201110_22.nasl
2011-08-09 Name : CentOS Update for postgresql CESA-2010:0429 centos5 i386
File : nvt/gb_CESA-2010_0429_postgresql_centos5_i386.nasl
2010-06-03 Name : Debian Security Advisory DSA 2051-1 (postgresql-8.3)
File : nvt/deb_2051_1.nasl
2010-05-28 Name : CentOS Update for rh-postgresql CESA-2010:0427 centos3 i386
File : nvt/gb_CESA-2010_0427_rh-postgresql_centos3_i386.nasl
2010-05-28 Name : CentOS Update for postgresql CESA-2010:0428 centos4 i386
File : nvt/gb_CESA-2010_0428_postgresql_centos4_i386.nasl
2010-05-28 Name : RedHat Update for postgresql RHSA-2010:0427-01
File : nvt/gb_RHSA-2010_0427-01_postgresql.nasl
2010-05-28 Name : RedHat Update for postgresql RHSA-2010:0428-01
File : nvt/gb_RHSA-2010_0428-01_postgresql.nasl
2010-05-28 Name : RedHat Update for postgresql RHSA-2010:0429-01
File : nvt/gb_RHSA-2010_0429-01_postgresql.nasl
2010-05-28 Name : Mandriva Update for postgresql MDVSA-2010:103 (postgresql)
File : nvt/gb_mandriva_MDVSA_2010_103.nasl
2010-04-30 Name : Ubuntu Update for PostgreSQL vulnerability USN-933-1
File : nvt/gb_ubuntu_USN_933_1.nasl
2010-03-30 Name : FreeBSD Ports: postgresql-server
File : nvt/freebsd_postgresql-server0.nasl
2010-03-22 Name : Mandriva Update for poppler MDVA-2010:103 (poppler)
File : nvt/gb_mandriva_MDVA_2010_103.nasl
2010-01-28 Name : PostgreSQL 'bitsubstr' Buffer Overflow Vulnerability
File : nvt/postgresql_37973.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
62129 PostgreSQL backend/utils/adt/varbit.c bitsubstr Function Remote DoS

Snort® IPS/IDS

Date Description
2014-01-10 PostgreSQL bit substring buffer overflow attempt
RuleID : 16393 - Revision : 9 - Type : SERVER-OTHER

Nessus® Vulnerability Scanner

Date Description
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2010-0427.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2010-0428.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2010-0429.nasl - Type : ACT_GATHER_INFO
2012-08-01 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20100519_postgresql_on_SL3_x.nasl - Type : ACT_GATHER_INFO
2011-10-25 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201110-22.nasl - Type : ACT_GATHER_INFO
2010-06-01 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2010-0429.nasl - Type : ACT_GATHER_INFO
2010-05-25 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2051.nasl - Type : ACT_GATHER_INFO
2010-05-24 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2010-0427.nasl - Type : ACT_GATHER_INFO
2010-05-24 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2010-0428.nasl - Type : ACT_GATHER_INFO
2010-05-21 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2010-103.nasl - Type : ACT_GATHER_INFO
2010-05-20 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2010-0427.nasl - Type : ACT_GATHER_INFO
2010-05-20 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2010-0428.nasl - Type : ACT_GATHER_INFO
2010-05-20 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2010-0429.nasl - Type : ACT_GATHER_INFO
2010-04-29 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-933-1.nasl - Type : ACT_GATHER_INFO
2010-03-26 Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_e050119b385611dfb2b2002170daae37.nasl - Type : ACT_GATHER_INFO

Sources (Detail)

Source Url
BID http://www.securityfocus.com/bid/37973
CONFIRM https://bugzilla.redhat.com/show_bug.cgi?id=559194
https://bugzilla.redhat.com/show_bug.cgi?id=559259
DEBIAN http://www.debian.org/security/2010/dsa-2051
MANDRIVA http://www.mandriva.com/security/advisories?name=MDVSA-2010:103
MISC http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=567058
http://git.postgresql.org/gitweb?p=postgresql.git%3Ba=commit%3Bh=75dea10196c3...
http://git.postgresql.org/gitweb?p=postgresql.git%3Ba=commit%3Bh=b15087cb39ca...
http://intevydis.blogspot.com/2010/01/postgresql-8023-bitsubstr-overflow.html
MLIST http://archives.postgresql.org/pgsql-committers/2010-01/msg00125.php
http://archives.postgresql.org/pgsql-hackers/2010-01/msg00634.php
http://www.openwall.com/lists/oss-security/2010/01/27/5
OVAL https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.ova...
REDHAT http://www.redhat.com/support/errata/RHSA-2010-0427.html
http://www.redhat.com/support/errata/RHSA-2010-0428.html
http://www.redhat.com/support/errata/RHSA-2010-0429.html
SECTRACK http://securitytracker.com/id?1023510
SECUNIA http://secunia.com/advisories/39566
http://secunia.com/advisories/39820
http://secunia.com/advisories/39939
UBUNTU http://ubuntu.com/usn/usn-933-1
VUPEN http://www.vupen.com/english/advisories/2010/1022
http://www.vupen.com/english/advisories/2010/1197
http://www.vupen.com/english/advisories/2010/1207
http://www.vupen.com/english/advisories/2010/1221
XF https://exchange.xforce.ibmcloud.com/vulnerabilities/55902

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
8
9
10
Date Informations
2023-02-24 21:27:52
  • Multiple Updates
2023-02-13 09:29:13
  • Multiple Updates
2021-05-04 12:11:08
  • Multiple Updates
2021-04-22 01:11:39
  • Multiple Updates
2020-05-23 00:25:15
  • Multiple Updates
2017-09-19 09:23:38
  • Multiple Updates
2017-08-17 09:22:55
  • Multiple Updates
2016-04-26 19:33:45
  • Multiple Updates
2014-02-17 10:53:43
  • Multiple Updates
2014-01-19 21:26:36
  • Multiple Updates
2013-05-10 23:17:35
  • Multiple Updates