ID CVE-2018-10925
Summary It was discovered that PostgreSQL versions before 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 failed to properly check authorization on certain statements involved with "INSERT ... ON CONFLICT DO UPDATE". An attacker with "CREATE TABLE" privileges could exploit this to read arbitrary bytes server memory. If the attacker also had certain "INSERT" and limited "UPDATE" privileges to a particular table, they could exploit this to update other columns in the same table.
References
Vulnerable Configurations
  • Canonical Ubuntu Linux 14.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:14.04:-:-:-:lts
  • Canonical Ubuntu Linux 16.04 LTS (Long-Term Support)
    cpe:2.3:o:canonical:ubuntu_linux:16.04:-:-:-:lts
  • cpe:2.3:o:canonical:ubuntu_linux:18.04:-:-:-:lts
    cpe:2.3:o:canonical:ubuntu_linux:18.04:-:-:-:lts
  • Debian Linux 9.0
    cpe:2.3:o:debian:debian_linux:9.0
  • PostgreSQL 9.3.0
    cpe:2.3:a:postgresql:postgresql:9.3.0
  • PostgreSQL PostgreSQL 9.3.1
    cpe:2.3:a:postgresql:postgresql:9.3.1
  • PostgreSQL PostgreSQL 9.3.2
    cpe:2.3:a:postgresql:postgresql:9.3.2
  • PostgreSQL PostgreSQL 9.3.3
    cpe:2.3:a:postgresql:postgresql:9.3.3
  • PostgreSQL 9.3.4
    cpe:2.3:a:postgresql:postgresql:9.3.4
  • PostgreSQL 9.3.5
    cpe:2.3:a:postgresql:postgresql:9.3.5
  • PostgreSQL 9.3.6
    cpe:2.3:a:postgresql:postgresql:9.3.6
  • PostgreSQL 9.3.7
    cpe:2.3:a:postgresql:postgresql:9.3.7
  • PostgreSQL 9.3.8
    cpe:2.3:a:postgresql:postgresql:9.3.8
  • PostgreSQL 9.3.9
    cpe:2.3:a:postgresql:postgresql:9.3.9
  • PostgreSQL 9.3.10
    cpe:2.3:a:postgresql:postgresql:9.3.10
  • PostgreSQL 9.3.11
    cpe:2.3:a:postgresql:postgresql:9.3.11
  • PostgreSQL 9.3.12
    cpe:2.3:a:postgresql:postgresql:9.3.12
  • PostgreSQL 9.3.13
    cpe:2.3:a:postgresql:postgresql:9.3.13
  • PostgreSQL 9.3.14
    cpe:2.3:a:postgresql:postgresql:9.3.14
  • PostgreSQL 9.3.15
    cpe:2.3:a:postgresql:postgresql:9.3.15
  • PostgreSQL 9.3.16
    cpe:2.3:a:postgresql:postgresql:9.3.16
  • PostgreSQL 9.3.17
    cpe:2.3:a:postgresql:postgresql:9.3.17
  • PostgreSQL 9.3.18
    cpe:2.3:a:postgresql:postgresql:9.3.18
  • PostgreSQL 9.3.19
    cpe:2.3:a:postgresql:postgresql:9.3.19
  • PostgreSQL 9.3.20
    cpe:2.3:a:postgresql:postgresql:9.3.20
  • PostgreSQL 9.3.21
    cpe:2.3:a:postgresql:postgresql:9.3.21
  • PostgreSQL 9.3.22
    cpe:2.3:a:postgresql:postgresql:9.3.22
  • PostgreSQL 9.4.0
    cpe:2.3:a:postgresql:postgresql:9.4.0
  • PostgreSQL 9.4.1
    cpe:2.3:a:postgresql:postgresql:9.4.1
  • PostgreSQL 9.4.2
    cpe:2.3:a:postgresql:postgresql:9.4.2
  • PostgreSQL 9.4.3
    cpe:2.3:a:postgresql:postgresql:9.4.3
  • PostgreSQL 9.4.4
    cpe:2.3:a:postgresql:postgresql:9.4.4
  • PostgreSQL PostgreSQL 9.4.5
    cpe:2.3:a:postgresql:postgresql:9.4.5
  • PostgreSQL 9.4.6
    cpe:2.3:a:postgresql:postgresql:9.4.6
  • PostgreSQL 9.4.7
    cpe:2.3:a:postgresql:postgresql:9.4.7
  • PostgreSQL 9.4.8
    cpe:2.3:a:postgresql:postgresql:9.4.8
  • PostgreSQL 9.4.9
    cpe:2.3:a:postgresql:postgresql:9.4.9
  • PostgreSQL 9.4.10
    cpe:2.3:a:postgresql:postgresql:9.4.10
  • PostgreSQL 9.4.11
    cpe:2.3:a:postgresql:postgresql:9.4.11
  • PostgreSQL 9.4.12
    cpe:2.3:a:postgresql:postgresql:9.4.12
  • PostgreSQL 9.4.13
    cpe:2.3:a:postgresql:postgresql:9.4.13
  • PostgreSQL 9.4.14
    cpe:2.3:a:postgresql:postgresql:9.4.14
  • PostgreSQL 9.4.15
    cpe:2.3:a:postgresql:postgresql:9.4.15
  • PostgreSQL 9.4.16
    cpe:2.3:a:postgresql:postgresql:9.4.16
  • PostgreSQL 9.5.0
    cpe:2.3:a:postgresql:postgresql:9.5.0
  • PostgreSQL 9.5.1
    cpe:2.3:a:postgresql:postgresql:9.5.1
  • PostgreSQL 9.5.2
    cpe:2.3:a:postgresql:postgresql:9.5.2
  • PostgreSQL 9.5.3
    cpe:2.3:a:postgresql:postgresql:9.5.3
  • PostgreSQL 9.5.4
    cpe:2.3:a:postgresql:postgresql:9.5.4
  • PostgreSQL 9.5.5
    cpe:2.3:a:postgresql:postgresql:9.5.5
  • PostgreSQL 9.5.6
    cpe:2.3:a:postgresql:postgresql:9.5.6
  • PostgreSQL 9.5.7
    cpe:2.3:a:postgresql:postgresql:9.5.7
  • PostgreSQL 9.5.8
    cpe:2.3:a:postgresql:postgresql:9.5.8
  • PostgreSQL 9.5.9
    cpe:2.3:a:postgresql:postgresql:9.5.9
  • PostgreSQL 9.5.10
    cpe:2.3:a:postgresql:postgresql:9.5.10
  • PostgreSQL 9.5.11
    cpe:2.3:a:postgresql:postgresql:9.5.11
  • PostgreSQL 9.6.0
    cpe:2.3:a:postgresql:postgresql:9.6.0
  • PostgreSQL 9.6.1
    cpe:2.3:a:postgresql:postgresql:9.6.1
  • PostgreSQL 9.6.2
    cpe:2.3:a:postgresql:postgresql:9.6.2
  • PostgreSQL 9.6.3
    cpe:2.3:a:postgresql:postgresql:9.6.3
  • PostgreSQL 9.6.4
    cpe:2.3:a:postgresql:postgresql:9.6.4
  • PostgreSQL 9.6.5
    cpe:2.3:a:postgresql:postgresql:9.6.5
  • PostgreSQL 9.6.6
    cpe:2.3:a:postgresql:postgresql:9.6.6
  • PostgreSQL 9.6.7
    cpe:2.3:a:postgresql:postgresql:9.6.7
  • PostgreSQL 9.6.8
    cpe:2.3:a:postgresql:postgresql:9.6.8
  • PostgreSQL 9.6.9
    cpe:2.3:a:postgresql:postgresql:9.6.9
  • PostgreSQL 10.0
    cpe:2.3:a:postgresql:postgresql:10.0
  • PostgreSQL 10.1
    cpe:2.3:a:postgresql:postgresql:10.1
  • PostgreSQL 10.2
    cpe:2.3:a:postgresql:postgresql:10.2
  • PostgreSQL 10.3
    cpe:2.3:a:postgresql:postgresql:10.3
  • PostgreSQL 10.4
    cpe:2.3:a:postgresql:postgresql:10.4
CVSS
Base: 5.5
Impact:
Exploitability:
CWE CWE-285
CAPEC
  • Accessing Functionality Not Properly Constrained by ACLs
    In applications, particularly web applications, access to functionality is mitigated by the authorization framework, whose job it is to map ACLs to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application or can run queries for data that he is otherwise not supposed to.
  • Cross Zone Scripting
    An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
  • Directory Indexing
    An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.
  • Subverting Environment Variable Values
    The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
  • Accessing, Modifying or Executing Executable Files
    An attack of this type exploits a system's configuration that allows an attacker to either directly access an executable file, for example through shell access; or in a possible worst case allows an attacker to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
  • Manipulating Opaque Client-based Data Tokens
    In circumstances where an application holds important data client-side in tokens (cookies, URLs, data files, and so forth) that data can be manipulated. If client or server-side application components reinterpret that data as authentication tokens or data (such as store item pricing or wallet information) then even opaquely manipulating that data may bear fruit for an Attacker. In this pattern an attacker undermines the assumption that client side tokens have been adequately protected from tampering through use of encryption or obfuscation.
  • Buffer Overflow via Symbolic Links
    This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
  • Poison Web Service Registry
    SOA and Web Services often use a registry to perform look up, get schema information, and metadata about services. A poisoned registry can redirect (think phishing for servers) the service requester to a malicious service provider, provide incorrect information in schema or metadata (to effect a denial of service), and delete information about service provider interfaces. WS-Addressing is used to virtualize services, provide return addresses and other routing information, however, unless the WS-Addressing headers are protected they are vulnerable to rewriting. The attacker that can rewrite WS-addressing information gains the ability to route service requesters to any service providers, and the ability to route service provider response to any service. Content in a registry is deployed by the service provider. The registry in an SOA or Web Services system can be accessed by the service requester via UDDI or other protocol. The basic flow for the attacker consists of either altering the data at rest in the registry or uploading malicious content by spoofing a service provider. The service requester is then redirected to send its requests and/or responses to services the attacker controls.
  • Session Credential Falsification through Prediction
    This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
  • Reusing Session IDs (aka Session Replay)
    This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.
  • Manipulating Input to File System Calls
    An attacker manipulates inputs to the target software which the target software passes to file system calls in the OS. The goal is to gain access to, and perhaps modify, areas of the file system that the target software did not intend to be accessible.
  • Manipulating User-Controlled Variables
    This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.
  • Forceful Browsing
    An attacker employs forceful browsing to access portions of a website that are otherwise unreachable through direct URL entry. Usually, a front controller or similar design pattern is employed to protect access to portions of a web application. Forceful browsing enables an attacker to access information, perform privileged operations and otherwise reach sections of the web application that have been improperly protected.
nessus via4
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2018-2_0-0087.NASL
    description An update of 'krb5', 'postgresql' packages of Photon OS has been released.
    last seen 2018-10-10
    modified 2018-09-17
    plugin id 112220
    published 2018-08-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=112220
    title Photon OS 2.0: Krb5 / Postgresql PHSA-2018-2.0-0087
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201810-08.NASL
    description The remote host is affected by the vulnerability described in GLSA-201810-08 (PostgreSQL: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in PostgreSQL. Please review the referenced CVE identifiers for details. In addition it was discovered that Gentoo’s PostgreSQL installation suffered from a privilege escalation vulnerability due to a runscript which called OpenRC’s checkpath() on a user controlled path and allowed user running PostgreSQL to kill arbitrary processes via PID file manipulation. Impact : A remote attacker could bypass certain client-side connection security features, read arbitrary server memory or alter certain data. In addition, a local attacker could gain privileges or cause a Denial of Service condition by killing arbitrary processes. Workaround : There is no known workaround at this time.
    last seen 2018-11-01
    modified 2018-10-31
    plugin id 118508
    published 2018-10-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118508
    title GLSA-201810-08 : PostgreSQL: Multiple vulnerabilities
  • NASL family Databases
    NASL id POSTGRESQL_20180809.NASL
    description The version of PostgreSQL installed on the remote host is 9.3.x prior to 9.3.24, 9.4.x prior to 9.4.19, 9.5.x prior to 9.5.14, 9.6.x prior to 9.6.10, or 10.x prior to 10.5. It is, therefore, affected by multiple vulnerabilities.
    last seen 2018-10-10
    modified 2018-09-17
    plugin id 111966
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111966
    title PostgreSQL 9.3.x < 9.3.24 / 9.4.x < 9.4.19 / 9.5.x < 9.5.14 / 9.6.x < 9.6.10 / 10.x < 10.5 Multiple Vulnerabilities
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_96EAB8749C7911E8B34B6CC21735F730.NASL
    description The PostgreSQL project reports : CVE-2018-10915: Certain host connection parameters defeat client-side security defenses libpq, the client connection API for PostgreSQL that is also used by other connection libraries, had an internal issue where it did not reset all of its connection state variables when attempting to reconnect. In particular, the state variable that determined whether or not a password is needed for a connection would not be reset, which could allow users of features requiring libpq, such as the 'dblink' or 'postgres_fdw' extensions, to login to servers they should not be able to access. CVE-2018-10925: Memory disclosure and missing authorization in `INSERT ... ON CONFLICT DO UPDATE` An attacker able to issue CREATE TABLE can read arbitrary bytes of server memory using an upsert (`INSERT ... ON CONFLICT DO UPDATE`) query. By default, any user can exploit that. A user that has specific INSERT privileges and an UPDATE privilege on at least one column in a given table can also update other columns using a view and an upsert query.
    last seen 2018-10-20
    modified 2018-10-19
    plugin id 111656
    published 2018-08-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111656
    title FreeBSD : PostgreSQL -- two vulnerabilities (96eab874-9c79-11e8-b34b-6cc21735f730)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-D8F5AEA89D.NASL
    description update to 9.6.10, CVE-2018-10915 CVE-2018-10925 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-10-20
    modified 2018-10-19
    plugin id 111770
    published 2018-08-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111770
    title Fedora 27 : postgresql (2018-d8f5aea89d)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2018-1278.NASL
    description This update for postgresql96 to 9.6.10 fixes the following issues : These security issues were fixed : - CVE-2018-10915: libpq failed to properly reset its internal state between connections. If an affected version of libpq was used with 'host' or 'hostaddr' connection parameters from untrusted input, attackers could have bypassed client-side connection security features, obtain access to higher privileged connections or potentially cause other impact SQL injection, by causing the PQescape() functions to malfunction (bsc#1104199) - CVE-2018-10925: Add missing authorization check on certain statements involved with 'INSERT ... ON CONFLICT DO UPDATE'. An attacker with 'CREATE TABLE' privileges could have exploited this to read arbitrary bytes server memory. If the attacker also had certain 'INSERT' and limited 'UPDATE' privileges to a particular table, they could have exploited this to update other columns in the same table (bsc#1104202) For addition details please see https://www.postgresql.org/docs/current/static/release-9-6-10.html This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2018-10-27
    modified 2018-10-26
    plugin id 118448
    published 2018-10-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118448
    title openSUSE Security Update : postgresql96 (openSUSE-2018-1278)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2018-1074.NASL
    description A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq were used with 'host' or 'hostaddr' connection parameters from untrusted input, attackers could bypass client-side connection security features, obtain access to higher privileged connections or potentially cause other impact through SQL injection, by causing the PQescape() functions to malfunction.(CVE-2018-10915) It was discovered that PostgreSQL failed to properly check authorization on certain statements involved with 'INSERT ... ON CONFLICT DO UPDATE'. An attacker with 'CREATE TABLE' privileges could exploit this to read arbitrary bytes server memory. If the attacker also had certain 'INSERT' and limited 'UPDATE' privileges to a particular table, they could exploit this to update other columns in the same table.(CVE-2018-10925)
    last seen 2018-10-20
    modified 2018-10-19
    plugin id 117346
    published 2018-09-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117346
    title Amazon Linux AMI : postgresql96 (ALAS-2018-1074)
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2018-1_0-0178.NASL
    description An update of 'python2', 'strongswan', 'python3', 'postgresql' packages of Photon OS has been released.
    last seen 2018-10-10
    modified 2018-08-31
    plugin id 112221
    published 2018-08-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=112221
    title Photon OS 1.0: Postgresql / Python2 / Python3 / Strongswan PHSA-2018-1.0-0178
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2018-1079.NASL
    description A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq were used with 'host' or 'hostaddr' connection parameters from untrusted input, attackers could bypass client-side connection security features, obtain access to higher privileged connections or potentially cause other impact through SQL injection, by causing the PQescape() functions to malfunction.(CVE-2018-10915) It was discovered that PostgreSQL failed to properly check authorization on certain statements involved with 'INSERT ... ON CONFLICT DO UPDATE'. An attacker with 'CREATE TABLE' privileges could exploit this to read arbitrary bytes server memory. If the attacker also had certain 'INSERT' and limited 'UPDATE' privileges to a particular table, they could exploit this to update other columns in the same table.(CVE-2018-10925)
    last seen 2018-10-20
    modified 2018-10-19
    plugin id 117603
    published 2018-09-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117603
    title Amazon Linux AMI : postgresql93 / postgresql94,postgresql95 (ALAS-2018-1079)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-4269.NASL
    description Two vulnerabilities have been found in the PostgreSQL database system : - CVE-2018-10915 Andrew Krasichkov discovered that libpq did not reset all its connection state during reconnects. - CVE-2018-10925 It was discovered that some 'CREATE TABLE' statements could disclose server memory. For additional information please refer to the upstream announcement at https://www.postgresql.org/about/news/1878/
    last seen 2018-10-20
    modified 2018-10-19
    plugin id 111653
    published 2018-08-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111653
    title Debian DSA-4269-1 : postgresql-9.6 - security update
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2018-955.NASL
    description This update for postgresql10 fixes the following issues : PostgreSQL 10 was updated to 10.5 : - https://www.postgresql.org/about/news/1851/ - https://www.postgresql.org/docs/current/static/release-10-5.html A dump/restore is not required for those running 10.X. However, if you use the adminpack extension, you should update it as per the first changelog entry below. Also, if the function marking mistakes mentioned in the second and third changelog entries below affect you, you will want to take steps to correct your database catalogs. Security issues fixed : - CVE-2018-1115: Remove public execute privilege from contrib/adminpack's pg_logfile_rotate() function pg_logfile_rotate() is a deprecated wrapper for the core function pg_rotate_logfile(). When that function was changed to rely on SQL privileges for access control rather than a hard-coded superuser check, pg_logfile_rotate() should have been updated as well, but the need for this was missed. Hence, if adminpack is installed, any user could request a logfile rotation, creating a minor security issue. After installing this update, administrators should update adminpack by performing ALTER EXTENSION adminpack UPDATE in each database in which adminpack is installed (bsc#1091610). - CVE-2018-10915: libpq failed to properly reset its internal state between connections. If an affected version of libpq was used with 'host' or 'hostaddr' connection parameters from untrusted input, attackers could have bypassed client-side connection security features, obtain access to higher privileged connections or potentially cause other impact SQL injection, by causing the PQescape() functions to malfunction (bsc#1104199) - CVE-2018-10925: Add missing authorization check on certain statements involved with 'INSERT ... ON CONFLICT DO UPDATE'. An attacker with 'CREATE TABLE' privileges could have exploited this to read arbitrary bytes server memory. If the attacker also had certain 'INSERT' and limited 'UPDATE' privileges to a particular table, they could have exploited this to update other columns in the same table (bsc#1104202). This update was imported from the SUSE:SLE-15:Update update project.
    last seen 2018-09-05
    modified 2018-09-04
    plugin id 112269
    published 2018-09-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=112269
    title openSUSE Security Update : postgresql10 (openSUSE-2018-955)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3744-1.NASL
    description Andrew Krasichkov discovered that the PostgreSQL client library incorrectly reset its internal state between connections. A remote attacker could possibly use this issue to bypass certain client-side connection security features. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. (CVE-2018-10915) It was discovered that PostgreSQL incorrectly checked authorization on certain statements. A remote attacker could possibly use this issue to read arbitrary server memory or alter certain data. (CVE-2018-10925). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-10-20
    modified 2018-10-19
    plugin id 111844
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111844
    title Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : postgresql-10, postgresql-9.3, postgresql-9.5 vulnerabilities (USN-3744-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2018-3377-1.NASL
    description This update for postgresql96 to 9.6.10 fixes the following issues : These security issues were fixed : CVE-2018-10915: libpq failed to properly reset its internal state between connections. If an affected version of libpq was used with 'host' or 'hostaddr' connection parameters from untrusted input, attackers could have bypassed client-side connection security features, obtain access to higher privileged connections or potentially cause other impact SQL injection, by causing the PQescape() functions to malfunction (bsc#1104199) CVE-2018-10925: Add missing authorization check on certain statements involved with 'INSERT ... ON CONFLICT DO UPDATE'. An attacker with 'CREATE TABLE' privileges could have exploited this to read arbitrary bytes server memory. If the attacker also had certain 'INSERT' and limited 'UPDATE' privileges to a particular table, they could have exploited this to update other columns in the same table (bsc#1104202) For addition details please see https://www.postgresql.org/docs/current/static/release-9-6-10.html Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-10-27
    modified 2018-10-25
    plugin id 118387
    published 2018-10-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=118387
    title SUSE SLED12 / SLES12 Security Update : postgresql96 (SUSE-SU-2018:3377-1)
redhat via4
advisories
  • rhsa
    id RHSA-2018:2511
  • rhsa
    id RHSA-2018:2565
  • rhsa
    id RHSA-2018:2566
refmap via4
bid 105052
confirm
debian DSA-4269
gentoo GLSA-201810-08
sectrack 1041446
ubuntu USN-3744-1
Last major update 09-08-2018 - 17:29
Published 09-08-2018 - 17:29
Last modified 31-10-2018 - 06:30
Back to Top