PostgreSQL Vulnerability Allows Unauthorized File Access
CVE-2018-1053

7HIGH

What is CVE-2018-1053?

In PostgreSQL versions prior to 9.3.21, 9.4.16, 9.5.11, 9.6.7, and 10.2, a flaw exists in the pg_upgrade utility where it writes output files in the current working directory without ensuring secure file permissions. As a result, authenticated users may gain access to sensitive data, including database passwords, if file permissions are improperly set. This vulnerability poses a risk under certain directory and umask configurations, highlighting the importance of secure file handling practices.

Affected Version(s)

postgresql 9.3.x before 9.3.21

postgresql 9.4.x before 9.4.16

postgresql 9.5.x before 9.5.11

References

CVSS V3.1

Score:
7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.