Total
170 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2005-0227 | 1 Postgresql | 1 Postgresql | 2025-04-03 | 4.3 MEDIUM | N/A |
| PostgreSQL (pgsql) 7.4.x, 7.2.x, and other versions allows local users to load arbitrary shared libraries and execute code via the LOAD extension. | |||||
| CVE-2006-0678 | 1 Postgresql | 1 Postgresql | 2025-04-03 | 1.5 LOW | N/A |
| PostgreSQL 7.3.x before 7.3.14, 7.4.x before 7.4.12, 8.0.x before 8.0.7, and 8.1.x before 8.1.3, when compiled with Asserts enabled, allows local users to cause a denial of service (server crash) via a crafted SET SESSION AUTHORIZATION command, a different vulnerability than CVE-2006-0553. | |||||
| CVE-2005-1409 | 1 Postgresql | 1 Postgresql | 2025-04-03 | 7.5 HIGH | N/A |
| PostgreSQL 7.3.x through 8.0.x gives public EXECUTE access to certain character conversion functions, which allows unprivileged users to call those functions with malicious values, with unknown impact, aka the "Character conversion vulnerability." | |||||
| CVE-2005-0245 | 1 Postgresql | 1 Postgresql | 2025-04-03 | 7.5 HIGH | N/A |
| Buffer overflow in gram.y for PostgreSQL 8.0.0 and earlier may allow attackers to execute arbitrary code via a large number of arguments to a refcursor function (gram.y), which leads to a heap-based buffer overflow, a different vulnerability than CVE-2005-0247. | |||||
| CVE-1999-0862 | 1 Postgresql | 1 Postgresql | 2025-04-03 | 2.1 LOW | N/A |
| Insecure directory permissions in RPM distribution for PostgreSQL allows local users to gain privileges by reading a plaintext password file. | |||||
| CVE-2002-0802 | 1 Postgresql | 1 Postgresql | 2025-04-03 | 7.5 HIGH | N/A |
| The multibyte support in PostgreSQL 6.5.x with SQL_ASCII encoding consumes an extra character when processing a character that cannot be converted, which could remove an escape character from the query and make the application subject to SQL injection attacks. | |||||
| CVE-2002-1402 | 1 Postgresql | 1 Postgresql | 2025-04-03 | 4.6 MEDIUM | N/A |
| Buffer overflows in the (1) TZ and (2) SET TIME ZONE enivronment variables for PostgreSQL 7.2.1 and earlier allow local users to cause a denial of service and possibly execute arbitrary code. | |||||
| CVE-2005-0247 | 1 Postgresql | 1 Postgresql | 2025-04-03 | 6.5 MEDIUM | N/A |
| Multiple buffer overflows in gram.y for PostgreSQL 8.0.1 and earlier may allow attackers to execute arbitrary code via (1) a large number of variables in a SQL statement being handled by the read_sql_construct function, (2) a large number of INTO variables in a SELECT statement being handled by the make_select_stmt function, (3) a large number of arbitrary variables in a SELECT statement being handled by the make_select_stmt function, and (4) a large number of INTO variables in a FETCH statement being handled by the make_fetch_stmt function, a different set of vulnerabilities than CVE-2005-0245. | |||||
| CVE-2002-1400 | 1 Postgresql | 1 Postgresql | 2025-04-03 | 7.5 HIGH | N/A |
| Heap-based buffer overflow in the repeat() function for PostgreSQL before 7.2.2 allows attackers to execute arbitrary code by causing repeat() to generate a large string. | |||||
| CVE-2004-0547 | 1 Postgresql | 1 Postgresql | 2025-04-03 | 5.0 MEDIUM | N/A |
| Buffer overflow in the ODBC driver for PostgreSQL before 7.2.1 allows remote attackers to cause a denial of service (crash). | |||||
| CVE-2002-0972 | 1 Postgresql | 1 Postgresql | 2025-04-03 | 4.6 MEDIUM | N/A |
| Buffer overflows in PostgreSQL 7.2 allow attackers to cause a denial of service and possibly execute arbitrary code via long arguments to the functions (1) lpad or (2) rpad. | |||||
| CVE-2005-0246 | 1 Postgresql | 1 Postgresql | 2025-04-03 | 5.0 MEDIUM | N/A |
| The intagg contrib module for PostgreSQL 8.0.0 and earlier allows attackers to cause a denial of service (crash) via crafted arrays. | |||||
| CVE-2000-1199 | 1 Postgresql | 1 Postgresql | 2025-04-03 | 4.6 MEDIUM | N/A |
| PostgreSQL stores usernames and passwords in plaintext in (1) pg_shadow and (2) pg_pwd, which allows attackers with sufficient privileges to gain access to databases. | |||||
| CVE-2002-1399 | 1 Postgresql | 1 Postgresql | 2025-04-03 | 10.0 HIGH | N/A |
| Unknown vulnerability in cash_out and possibly other functions in PostgreSQL 7.2.1 and earlier, and possibly later versions before 7.2.3, with unknown impact, based on an invalid integer input which is processed as a different data type, as demonstrated using cash_out(2). | |||||
| CVE-2002-1401 | 1 Postgresql | 1 Postgresql | 2025-04-03 | 6.5 MEDIUM | N/A |
| Buffer overflows in (1) circle_poly, (2) path_encode and (3) path_add (also incorrectly identified as path_addr) for PostgreSQL 7.2.3 and earlier allow attackers to cause a denial of service and possibly execute arbitrary code, possibly as a result of an integer overflow. | |||||
| CVE-2024-4317 | 1 Postgresql | 1 Postgresql | 2025-03-28 | N/A | 3.1 LOW |
| Missing authorization in PostgreSQL built-in views pg_stats_ext and pg_stats_ext_exprs allows an unprivileged database user to read most common values and other statistics from CREATE STATISTICS commands of other users. The most common values may reveal column values the eavesdropper could not otherwise read or results of functions they cannot execute. Installing an unaffected version only fixes fresh PostgreSQL installations, namely those that are created with the initdb utility after installing that version. Current PostgreSQL installations will remain vulnerable until they follow the instructions in the release notes. Within major versions 14-16, minor versions before PostgreSQL 16.3, 15.7, and 14.12 are affected. Versions before PostgreSQL 14 are unaffected. | |||||
| CVE-2022-41862 | 3 Fedoraproject, Postgresql, Redhat | 6 Fedora, Postgresql, Enterprise Linux and 3 more | 2025-03-07 | N/A | 3.7 LOW |
| In PostgreSQL, a modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. In certain conditions a server can cause a libpq client to over-read and report an error message containing uninitialized bytes. | |||||
| CVE-2023-2455 | 3 Fedoraproject, Postgresql, Redhat | 4 Fedora, Postgresql, Enterprise Linux and 1 more | 2025-01-06 | N/A | 5.4 MEDIUM |
| Row security policies disregard user ID changes after inlining; PostgreSQL could permit incorrect policies to be applied in certain cases where role-specific policies are used and a given query is planned under one role and then executed under other roles. This scenario can happen under security definer functions or when a common user and query is planned initially and then re-used across multiple SET ROLEs. Applying an incorrect policy may permit a user to complete otherwise-forbidden reads and modifications. This affects only databases that have used CREATE POLICY to define a row security policy. | |||||
| CVE-2023-2454 | 3 Fedoraproject, Postgresql, Redhat | 4 Fedora, Postgresql, Enterprise Linux and 1 more | 2025-01-06 | N/A | 7.2 HIGH |
| schema_element defeats protective search_path changes; It was found that certain database calls in PostgreSQL could permit an authed attacker with elevated database-level privileges to execute arbitrary code. | |||||
| CVE-2024-0985 | 1 Postgresql | 1 Postgresql | 2024-12-20 | N/A | 8.0 HIGH |
| Late privilege drop in REFRESH MATERIALIZED VIEW CONCURRENTLY in PostgreSQL allows an object creator to execute arbitrary SQL functions as the command issuer. The command intends to run SQL functions as the owner of the materialized view, enabling safe refresh of untrusted materialized views. The victim is a superuser or member of one of the attacker's roles. The attack requires luring the victim into running REFRESH MATERIALIZED VIEW CONCURRENTLY on the attacker's materialized view. Versions before PostgreSQL 16.2, 15.6, 14.11, 13.14, and 12.18 are affected. | |||||