Authorization Vulnerability in PostgreSQL Affects Multiple Versions
CVE-2018-10925
7.1HIGH
Key Information:
- Status
- Vendor
- CVE Published:
- 9 August 2018
What is CVE-2018-10925?
An issue was identified in PostgreSQL prior to specified versions, where authorization checks on certain SQL statements involving 'INSERT ... ON CONFLICT DO UPDATE' were insufficient. This flaw allows attackers with 'CREATE TABLE' privileges to potentially read arbitrary bytes from server memory. Moreover, if the attacker possesses specific 'INSERT' and limited 'UPDATE' permissions on a particular table, they could exploit this vulnerability to manipulate additional columns within that same table.
Affected Version(s)
postgresql 10.5
postgresql 9.6.10
postgresql 9.5.14