PostgreSQL Client Library Vulnerability Affecting libpq
CVE-2018-10915

8.5HIGH

Key Information:

Vendor

Postgresql Global Development Group

Status
Postgresql
Vendor
CVE Published:
9 August 2018

What is CVE-2018-10915?

A security flaw exists in the libpq library of PostgreSQL, where internal state management between connections may fail to reset properly. When users employ 'host' or 'hostaddr' connection parameters sourced from untrusted input, an attacker could exploit this vulnerability to bypass client-side security measures. This could lead to unauthorized access to higher privilege connections, or potentially cause critical SQL injection issues due to malfunctioning PQescape() functions. Versions of PostgreSQL prior to 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 are affected, making timely updates essential to protect against potential attacks.

Affected Version(s)

postgresql 10.5

postgresql 9.6.10

postgresql 9.5.14

References

https://security.gentoo.org/glsa/201810-08
vendor-advisoryx_refsource_GENTOO
https://access.redhat.com/errata/RHSA-2018:2729
vendor-advisoryx_refsource_REDHAT
https://www.debian.org/security/2018/dsa-4269
vendor-advisoryx_refsource_DEBIAN

CVSS V3.1

Score:
8.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.