Authorization Vulnerability in PostgreSQL Affects Multiple Versions
CVE-2018-10925

7.1HIGH

Key Information:

Vendor

Postgresql Global Development Group

Status
Postgresql
Vendor
CVE Published:
9 August 2018

What is CVE-2018-10925?

An issue was identified in PostgreSQL prior to specified versions, where authorization checks on certain SQL statements involving 'INSERT ... ON CONFLICT DO UPDATE' were insufficient. This flaw allows attackers with 'CREATE TABLE' privileges to potentially read arbitrary bytes from server memory. Moreover, if the attacker possesses specific 'INSERT' and limited 'UPDATE' permissions on a particular table, they could exploit this vulnerability to manipulate additional columns within that same table.

Affected Version(s)

postgresql 10.5

postgresql 9.6.10

postgresql 9.5.14

References

https://security.gentoo.org/glsa/201810-08
vendor-advisoryx_refsource_GENTOO
https://www.debian.org/security/2018/dsa-4269
vendor-advisoryx_refsource_DEBIAN
http://www.securityfocus.com/bid/105052
vdb-entryx_refsource_BID

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.