New Search

EnterpriseDB Windows installer bundled OpenSSL executes code from unprotected directory (CVE-2019-10211)

oval:org.cisecurity:def:8243

When the database server or libpq client library initializes SSL libeay32.dll attempts to read configuration from a hard-coded directory. Typically the directory does not exist but any local user could create it and inject configuration. This configuration can direct OpenSSL to load and execute arbitrary code as the user running a PostgreSQL server or client. Most PostgreSQL client tools and libraries use libpq and one can encounter this vulnerability by using any of them.

Family:
windows
Status:
ACCEPTED
Platform(s):
  • Microsoft Windows Server 2008 R2
  • Microsoft Windows Server 2012
  • Microsoft Windows Vista
  • Microsoft Windows Server 2008
  • Microsoft Windows Server 2003
  • Microsoft Windows 8
  • Microsoft Windows 7
  • Microsoft Windows Server 2012 R2
  • Microsoft Windows 8.1
  • Microsoft Windows Server 2016
  • Microsoft Windows 10
  • Microsoft Windows XP
Class:
vulnerability
Reference(s):
  • CVE-2019-10211
Product(s):
  • PostgreSQL