Authorization Vulnerability in PostgreSQL Affects Multiple Versions
CVE-2018-10925

7.1HIGH

What is CVE-2018-10925?

An issue was identified in PostgreSQL prior to specified versions, where authorization checks on certain SQL statements involving 'INSERT ... ON CONFLICT DO UPDATE' were insufficient. This flaw allows attackers with 'CREATE TABLE' privileges to potentially read arbitrary bytes from server memory. Moreover, if the attacker possesses specific 'INSERT' and limited 'UPDATE' permissions on a particular table, they could exploit this vulnerability to manipulate additional columns within that same table.

Affected Version(s)

postgresql 10.5

postgresql 9.6.10

postgresql 9.5.14

References

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2018-10925 : Authorization Vulnerability in PostgreSQL Affects Multiple Versions