New Search

Vulnerability in PostgreSQL 9.3.x before 9.3.21 9.4.x before 9.4.16 9.5.x before 9.5.11 9.6.x before 9.6.7 and 10.x before 10.2 (CVE-2018-1053)

oval:org.cisecurity:def:8198

In postgresql 9.3.x before 9.3.21 9.4.x before 9.4.16 9.5.x before 9.5.11 9.6.x before 9.6.7 and 10.x before 10.2 pg_upgrade creates file in current working directory containing the output of `pg_dumpall -g` under umask which was in effect when the user invoked pg_upgrade and not under 0077 which is normally used for other temporary files. This can allow an authenticated attacker to read or modify the one file which may contain encrypted or unencrypted database passwords.

Family:
windows
Status:
ACCEPTED
Platform(s):
  • Microsoft Windows Server 2016
  • Microsoft Windows 10
  • Microsoft Windows 8.1
  • Microsoft Windows XP
  • Microsoft Windows Server 2003
  • Microsoft Windows Server 2012
  • Microsoft Windows Server 2008 R2
  • Microsoft Windows Server 2012 R2
  • Microsoft Windows 8
  • Microsoft Windows Server 2008
  • Microsoft Windows Vista
  • Microsoft Windows 7
Class:
vulnerability
Reference(s):
  • CVE-2018-1053
Product(s):
  • PostgreSQL