CVE-1999-0862 is a vulnerability identified in older RPM distributions of PostgreSQL versions 6.3.2, 6.5.3, and 6.5.3.1. The issue arises from insecure directory permissions that allow local users on the affected system to read a plaintext password file. This exposure enables unauthorized privilege escalation by granting access to sensitive authentication credentials. The vulnerability is local in nature, requiring the attacker to have access to the system already, but no authentication is needed to exploit the flaw once local access is obtained. The CVSS score of 2.1 reflects the low severity, primarily because the attack vector is local and the impact is limited to confidentiality loss without affecting integrity or availability. The vulnerability does not have a patch available, likely due to the age of the affected PostgreSQL versions, which are now obsolete and unsupported. The core technical issue is improper file system permissions on directories or files containing PostgreSQL password data, which should have been restricted to privileged users only. This misconfiguration allows any local user to read sensitive password information in plaintext, potentially leading to unauthorized database access and privilege escalation within the system.

For European organizations, the impact of this vulnerability is generally low given the age of the affected PostgreSQL versions and the requirement for local system access. However, if legacy systems running these outdated PostgreSQL versions are still in use, the exposure of plaintext passwords could lead to unauthorized access to critical databases, potentially compromising sensitive business data. This could result in data confidentiality breaches, unauthorized data manipulation, or lateral movement within the network if attackers leverage the gained privileges. The vulnerability does not affect system availability or data integrity directly but poses a risk to confidentiality. Organizations relying on PostgreSQL for critical applications should be aware that any legacy installations with insecure directory permissions could be exploited by malicious insiders or attackers who have gained initial local access through other means. The risk is compounded in environments where local user accounts are shared or poorly controlled, increasing the likelihood of exploitation.

Given the absence of an official patch for these legacy PostgreSQL versions, European organizations should prioritize upgrading to supported, modern PostgreSQL releases that follow current security best practices for file permissions and credential storage. In the interim, organizations should audit and correct file system permissions on PostgreSQL directories and password files to ensure that only the PostgreSQL service account and system administrators have read access. Implement strict access controls and monitoring on systems running PostgreSQL to detect unauthorized local access attempts. Employ host-based intrusion detection systems (HIDS) to alert on suspicious file access patterns. Additionally, organizations should enforce strong local user account management policies, including minimizing the number of users with local access and using role-based access controls. If legacy systems cannot be upgraded immediately, consider isolating them within segmented network zones to limit potential lateral movement. Finally, ensure that PostgreSQL passwords are rotated regularly and consider using more secure authentication methods that do not rely on plaintext password files.