PostgreSQL Client Library Vulnerability Affecting libpq
CVE-2018-10915

8.5HIGH

What is CVE-2018-10915?

A security flaw exists in the libpq library of PostgreSQL, where internal state management between connections may fail to reset properly. When users employ 'host' or 'hostaddr' connection parameters sourced from untrusted input, an attacker could exploit this vulnerability to bypass client-side security measures. This could lead to unauthorized access to higher privilege connections, or potentially cause critical SQL injection issues due to malfunctioning PQescape() functions. Versions of PostgreSQL prior to 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 are affected, making timely updates essential to protect against potential attacks.

Affected Version(s)

postgresql 10.5

postgresql 9.6.10

postgresql 9.5.14

References

CVSS V3.1

Score:
8.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2018-10915 : PostgreSQL Client Library Vulnerability Affecting libpq