New Search

Vulnerability in PostgreSQL versions before 10.5 9.6.10 9.5.14 9.4.19 and 9.3.24 (CVE-2018-10925)

oval:org.cisecurity:def:8211

It was discovered that PostgreSQL versions before 10.5 9.6.10 9.5.14 9.4.19 and 9.3.24 failed to properly check authorization on certain statements involved with "INSERT ... ON CONFLICT DO UPDATE". An attacker with "CREATE TABLE" privileges could exploit this to read arbitrary bytes server memory. If the attacker also had certain "INSERT" and limited "UPDATE" privileges to a particular table they could exploit this to update other columns in the same table.

Family:
windows
Status:
ACCEPTED
Platform(s):
  • Microsoft Windows Server 2008 R2
  • Microsoft Windows Server 2012
  • Microsoft Windows Vista
  • Microsoft Windows Server 2008
  • Microsoft Windows Server 2003
  • Microsoft Windows 8
  • Microsoft Windows 7
  • Microsoft Windows Server 2012 R2
  • Microsoft Windows 8.1
  • Microsoft Windows Server 2016
  • Microsoft Windows 10
  • Microsoft Windows XP
Class:
vulnerability
Reference(s):
  • 105052
  • CVE-2018-10925
Product(s):
  • PostgreSQL