CVE-2016-5424
Published: 11 August 2016
PostgreSQL before 9.1.23, 9.2.x before 9.2.18, 9.3.x before 9.3.14, 9.4.x before 9.4.9, and 9.5.x before 9.5.4 might allow remote authenticated users with the CREATEDB or CREATEROLE role to gain superuser privileges via a (1) " (double quote), (2) \ (backslash), (3) carriage return, or (4) newline character in a (a) database or (b) role name that is mishandled during an administrative operation.
Priority
Medium
CVSS 3 base score: 7.1
Status
| Package | Release | Status |
|---|---|---|
|
postgresql-8.4 Launchpad, Ubuntu, Debian |
precise |
Does not exist
(precise was needs-triage)
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
|
postgresql-9.1 Launchpad, Ubuntu, Debian |
precise |
Released
(9.1.23-0ubuntu0.12.04)
|
| trusty |
Does not exist
(trusty was released [9.1.23-0ubuntu0.14.04])
|
|
| upstream |
Released
(9.1.23)
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
|
postgresql-9.3 Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
| trusty |
Released
(9.3.14-0ubuntu0.14.04)
|
|
| upstream |
Released
(9.3.14)
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
|
postgresql-9.5 Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
| trusty |
Does not exist
|
|
| upstream |
Released
(9.5.4)
|
|
| xenial |
Released
(9.5.4-0ubuntu0.16.04)
|
|
| yakkety |
Not vulnerable
(9.5.4-1)
|
|
| zesty |
Does not exist
|
|
|
Patches: upstream: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=fcd15f13581f6d75c63d213220d5a94889206c1b |
||