VuXML ID | Description |
62da9702-b4cc-11eb-b9c9-6cc21735f730 | PostgreSQL server -- two security issues
The PostgreSQL project reports:
Memory disclosure in INSERT ... ON CONFLICT ... DO UPDATE
Using an INSERT ... ON CONFLICT ... DO UPDATE command on a
purpose-crafted table, an attacker can read arbitrary bytes of
server memory. In the default configuration, any authenticated
database user can create prerequisite objects and complete this
attack at will. A user lacking the CREATE and TEMPORARY privileges
on all databases and the CREATE privilege on all schemas cannot use
this attack at will..
Buffer overrun from integer overflow in array subscripting
calculations
While modifying certain SQL array values, missing bounds checks let
authenticated database users write arbitrary bytes to a wide area of
server memory.
Discovery 2021-05-13 Entry 2021-05-14 postgresql13-server
< 13.3
postgresql12-server
< 12.7
postgresql11-server
< 11.12
postgresql10-server
< 10.17
postgresql96-server
< 9.6.22
https://www.postgresql.org/support/security/CVE-2021-32027/
https://www.postgresql.org/support/security/CVE-2021-32028/
|
1f02af5d-c566-11e7-a12d-6cc21735f730 | PostgreSQL vulnerabilities
The PostgreSQL project reports:
- CVE-2017-15098: Memory disclosure in JSON functions
- CVE-2017-15099: INSERT ... ON CONFLICT DO UPDATE fails to
enforce SELECT privileges
Discovery 2017-10-10 Entry 2017-11-09 postgresql92-server
ge 9.2.0 lt 9.2.24
postgresql93-server
ge 9.3.0 lt 9.3.20
postgresql94-server
ge 9.4.0 lt 9.4.15
postgresql95-server
ge 9.5.0 lt 9.5.10
postgresql96-server
ge 9.6.0 lt 9.6.6
postgresql10-server
ge 10.0 lt 10.1
CVE-2017-15099
CVE-2017-15098
|
9de4c1c1-b9ee-11e9-82aa-6cc21735f730 | PostgresSQL -- TYPE in pg_temp execute arbitrary SQL during `SECURITY DEFINER` execution
The PostgreSQL project reports:
Versions Affected: 9.4 - 11
Given a suitable `SECURITY DEFINER` function, an attacker can execute arbitrary
SQL under the identity of the function owner. An attack requires `EXECUTE`
permission on the function, which must itself contain a function call having
inexact argument type match. For example, `length('foo'::varchar)` and
`length('foo')` are inexact, while `length('foo'::text)` is exact.
As part of exploiting this vulnerability, the attacker uses `CREATE DOMAIN`
to create a type in a `pg_temp` schema. The attack pattern and fix are similar
to that for CVE-2007-2138.
Writing `SECURITY DEFINER` functions continues to require following
the considerations noted in the documentation:
https://www.postgresql.org/docs/devel/sql-createfunction.html#SQL-CREATEFUNCTION-SECURITY
Versions Affected: 11
In a database containing hypothetical, user-defined hash equality operators,
an attacker could read arbitrary bytes of server memory. For an attack to
become possible, a superuser would need to create unusual operators.
It is possible for operators not purpose-crafted for attack to have
the properties that enable an attack, but we are not aware of specific examples.
Discovery 2019-08-08 Entry 2019-08-08 postgresql11-server
< 11.5
postgresql10-server
< 10.10
postgresql96-server
< 9.6.15
postgresql95-server
< 9.5.19
postgresql94-server
< 9.4.24
https://www.postgresql.org/about/news/1960/
CVE-2019-10208
CVE-2019-10209
|
c602c791-0cf4-11e8-a2ec-6cc21735f730 | PostgreSQL vulnerabilities
The PostgreSQL project reports:
- CVE-2018-1052: Fix the processing of partition keys containing multiple expressions (only for PostgreSQL-10.x)
- CVE-2018-1053: Ensure that all temporary files made with "pg_upgrade" are non-world-readable
Discovery 2018-02-05 Entry 2018-02-08 postgresql93-server
ge 9.3.0 lt 9.3.21
postgresql94-server
ge 9.4.0 lt 9.4.16
postgresql95-server
ge 9.5.0 lt 9.5.11
postgresql96-server
ge 9.6.0 lt 9.6.7
postgresql10-server
ge 10.0 lt 10.2
CVE-2018-1052
CVE-2018-1053
|
d331f691-71f4-11ea-8bb5-6cc21735f730 | PostgresSQL -- ALTER ... DEPENDS ON EXTENSION is missing authorization checks
The PostgreSQL project reports:
Versions Affected: 9.6 - 12
The ALTER ... DEPENDS ON EXTENSION sub-commands do not perform
authorization checks, which can allow an unprivileged user to drop
any function, procedure, materialized view, index, or trigger under
certain conditions. This attack is possible if an administrator has
installed an extension and an unprivileged user can CREATE, or an
extension owner either executes DROP EXTENSION predictably or can be
convinced to execute DROP EXTENSION.
Discovery 2020-02-13 Entry 2020-03-29 postgresql12-server
< 12.2
postgresql11-server
< 11.7
postgresql10-server
< 10.12
postgresql96-server
< 9.6.17
https://www.postgresql.org/about/news/1960/
CVE-2020-1720
|
065890c3-725e-11e9-b0e1-6cc21735f730 | PostgreSQL -- Selectivity estimators bypass row security policies
The PostgreSQL project reports:
PostgreSQL maintains statistics for tables by sampling
data available in columns; this data is consulted during
the query planning process. Prior to this release, a user
able to execute SQL queries with permissions to read a
given column could craft a leaky operator that could
read whatever data had been sampled from that column.
If this happened to include values from rows that the user
is forbidden to see by a row security policy, the user
could effectively bypass the policy. This is fixed by only
allowing a non-leakproof operator to use this data if
there are no relevant row security policies for the table.
Discovery 2019-05-09 Entry 2019-05-09 postgresql11-server
< 11.3
postgresql10-server
< 10.8
postgresql96-server
< 9.6.13
postgresql95-server
< 9.5.17
https://www.postgresql.org/about/news/1939/
CVE-2019-10130
|
e3eeda2e-1d67-11e8-a2ec-6cc21735f730 | PostgreSQL vulnerabilities
The PostgreSQL project reports:
- CVE-2018-1058: Uncontrolled search path element in pg_dump and other client applications
Discovery 2018-03-01 Entry 2018-03-01 postgresql93-server
ge 9.3.0 lt 9.3.22
postgresql94-server
ge 9.4.0 lt 9.4.17
postgresql95-server
ge 9.5.0 lt 9.5.12
postgresql96-server
ge 9.6.0 lt 9.6.8
postgresql10-server
ge 10.0 lt 10.3
https://wiki.postgresql.org/wiki/A_Guide_to_CVE-2018-1058:_Protect_Your_Search_Path
CVE-2018-1058
|
1c27a706-e3aa-11e8-b77a-6cc21735f730 | PostgreSQL -- SQL injection in pg_upgrade and pg_dump
The PostgreSQL project reports:
CVE-2018-16850: SQL injection in pg_upgrade and pg_dump,
via CREATE TRIGGER ... REFERENCING.
Using a purpose-crafted trigger definition, an attacker can run
arbitrary SQL statements with superuser privileges when a superuser
runs pg_upgrade on the database or during a pg_dump dump/restore
cycle. This attack requires a CREATE privilege on some non-temporary
schema or a TRIGGER privilege on a table. This is exploitable in the
default PostgreSQL configuration, where all users have CREATE
privilege on public schema.
Discovery 2018-11-08 Entry 2018-11-08 postgresql10-server
< 10.6
postgresql96-server
< 9.6.11
postgresql95-server
< 9.5.15
postgresql94-server
< 9.4.20
postgresql93-server
< 9.3.25
https://www.postgresql.org/about/news/1905/
CVE-2018-16850
|
2ccd71bd-426b-11ec-87db-6cc21735f730 | PostgreSQL -- Possible man-in-the-middle attacks
The PostgreSQL Project reports:
CVE-2021-23214: A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could be abused to send faked SQL commands to the server, although that would only work if the server did not demand any authentication data. (However, a server relying on SSL certificate authentication might well not do so.)
CVE-2021-23222: A man-in-the-middle with the ability to inject data into the TCP connection could stuff some cleartext data into the start of a supposedly encryption-protected database session. This could probably be abused to inject faked responses to the client's first few queries, although other details of libpq's behavior make that harder than it sounds. A different line of attack is to exfiltrate the client's password, or other sensitive data that might be sent early in the session. That has been shown to be possible with a server vulnerable to CVE-2021-23214.
Discovery 2021-11-08 Entry 2021-11-10 postgresql14-server
< 14.1
postgresql13-server
< 13.5
postgresql12-server
< 12.9
postgresql11-server
< 11.14
postgresql10-server
< 10.19
postgresql96-server
< 9.6.24
CVE-2021-23214
CVE-2021-23222
|
96eab874-9c79-11e8-b34b-6cc21735f730 | PostgreSQL -- two vulnerabilities
The PostgreSQL project reports:
CVE-2018-10915: Certain host connection parameters defeat
client-side security defenses
libpq, the client connection API for PostgreSQL that is also used
by other connection libraries, had an internal issue where it did not
reset all of its connection state variables when attempting to
reconnect. In particular, the state variable that determined whether
or not a password is needed for a connection would not be reset, which
could allow users of features requiring libpq, such as the "dblink" or
"postgres_fdw" extensions, to login to servers they should not be able
to access.
CVE-2018-10925: Memory disclosure and missing authorization in
`INSERT ... ON CONFLICT DO UPDATE`
An attacker able to issue CREATE TABLE can read arbitrary bytes of
server memory using an upsert (`INSERT ... ON CONFLICT DO UPDATE`)
query. By default, any user can exploit that. A user that has
specific INSERT privileges and an UPDATE privilege on at least one
column in a given table can also update other columns using a view and
an upsert query.
Discovery 2018-08-09 Entry 2018-08-10 postgresql10-server
< 10.5
postgresql96-server
< 9.6.10
postgresql95-server
< 9.5.14
postgresql94-server
< 9.4.19
postgresql93-server
< 9.3.24
https://www.postgresql.org/about/news/1878/
CVE-2018-10915
CVE-2018-10925
|