Vulnerability Details : CVE-2010-3781
The PL/php add-on 1.4 and earlier for PostgreSQL does not properly protect script execution by a different SQL user identity within the same session, which allows remote authenticated users to gain privileges via crafted script code in a SECURITY DEFINER function, a related issue to CVE-2010-3433.
Exploit prediction scoring system (EPSS) score for CVE-2010-3781
Probability of exploitation activity in the next 30 days: 0.48%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 75 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2010-3781
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
6.0
|
MEDIUM | AV:N/AC:M/Au:S/C:P/I:P/A:P |
6.8
|
6.4
|
NIST |
CWE ids for CVE-2010-3781
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2010-3781
-
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6645
Repository / Oval Repository
-
http://www.postgresql.org/about/news.1244
PostgreSQL: Not Found
-
http://www.postgresql.org/docs/9.0/static/release-9-0-1.html
PostgreSQL: Documentation: 9.0: Release 9.0.1
Products affected by CVE-2010-3781
- cpe:2.3:a:alvaro_herrera:pl\/php:*:*:*:*:*:*:*:*When used together with: Postgresql » Postgresql
- cpe:2.3:a:alvaro_herrera:pl\/php:1.3.2:*:*:*:*:*:*:*When used together with: Postgresql » Postgresql
- cpe:2.3:a:alvaro_herrera:pl\/php:1.3.1:*:*:*:*:*:*:*When used together with: Postgresql » Postgresql
- cpe:2.3:a:alvaro_herrera:pl\/php:1.3.5:beta1:*:*:*:*:*:*When used together with: Postgresql » Postgresql
- cpe:2.3:a:alvaro_herrera:pl\/php:1.3.3:*:*:*:*:*:*:*When used together with: Postgresql » Postgresql
- cpe:2.3:a:alvaro_herrera:pl\/php:1.0:*:*:*:*:*:*:*When used together with: Postgresql » Postgresql
- cpe:2.3:a:alvaro_herrera:pl\/php:1.2:*:*:*:*:*:*:*When used together with: Postgresql » Postgresql
- cpe:2.3:a:alvaro_herrera:pl\/php:1.1:*:*:*:*:*:*:*When used together with: Postgresql » Postgresql