The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of PostgreSQL

vulnerability CVE-2018-10925

PostgreSQL: information disclosure via CONFLICT DO UPDATE

Synthesis of the vulnerability

Impacted products: Debian, Unisphere EMC, Fedora, openSUSE Leap, PostgreSQL, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: data reading.
Provenance: user account.
Confidence: confirmed by the editor (5/5).
Creation date: 10/08/2018.
Identifiers: 528379, CVE-2018-10925, DSA-2018-208, DSA-4269-1, FEDORA-2018-d8f5aea89d, openSUSE-SU-2018:2599-1, openSUSE-SU-2018:3449-1, RHSA-2018:2511-01, RHSA-2018:2565-01, RHSA-2018:2566-01, SUSE-SU-2018:2564-1, SUSE-SU-2018:3377-1, USN-3744-1, VIGILANCE-VUL-26960.

Description of the vulnerability

A local attacker can read a memory fragment via CONFLICT DO UPDATE of PostgreSQL, in order to obtain sensitive information.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2018-10915

PostgreSQL: privilege escalation via Libpq Host Connection Parameters

Synthesis of the vulnerability

Impacted products: Debian, Unisphere EMC, Fedora, openSUSE Leap, PostgreSQL, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu, WindRiver Linux.
Severity: 2/4.
Consequences: privileged access/rights, user access/rights.
Provenance: intranet client.
Confidence: confirmed by the editor (5/5).
Creation date: 10/08/2018.
Identifiers: 528379, CVE-2018-10915, DLA-1464-1, DSA-2018-208, DSA-4269-1, FEDORA-2018-d8f5aea89d, openSUSE-SU-2018:2599-1, openSUSE-SU-2018:3449-1, openSUSE-SU-2018:4007-1, RHSA-2018:2511-01, RHSA-2018:2557-01, RHSA-2018:2565-01, RHSA-2018:2566-01, SUSE-SU-2018:2564-1, SUSE-SU-2018:3287-1, SUSE-SU-2018:3377-1, SUSE-SU-2018:3909-1, USN-3744-1, VIGILANCE-VUL-26959.

Description of the vulnerability

An attacker can bypass restrictions via Libpq Host Connection Parameters of PostgreSQL, in order to escalate his privileges.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2018-1115

PostgreSQL: log rotation via adminpack pg_logfile_rotate

Synthesis of the vulnerability

Impacted products: Fedora, openSUSE Leap, PostgreSQL, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 1/4.
Consequences: data creation/edition, data deletion.
Provenance: user shell.
Confidence: confirmed by the editor (5/5).
Creation date: 11/05/2018.
Identifiers: CVE-2018-1115, FEDORA-2018-08550a9006, FEDORA-2018-937c789f2a, FEDORA-2018-bd6f9237b5, openSUSE-SU-2018:1709-1, openSUSE-SU-2018:1900-1, openSUSE-SU-2018:2599-1, RHSA-2018:2565-01, RHSA-2018:2566-01, SUSE-SU-2018:1695-1, SUSE-SU-2018:2564-1, VIGILANCE-VUL-26093.

Description of the vulnerability

An attacker can bypass restrictions via adminpack pg_logfile_rotate() of PostgreSQL, in order to rotate logs.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability alert CVE-2018-1058

PostgreSQL: privilege escalation via function search paths

Synthesis of the vulnerability

Impacted products: Fedora, openSUSE Leap, PostgreSQL, RHEL, Ubuntu.
Severity: 2/4.
Consequences: privileged access/rights, user access/rights.
Provenance: user account.
Confidence: confirmed by the editor (5/5).
Creation date: 02/03/2018.
Identifiers: CVE-2018-1058, FEDORA-2018-2999cf6426, FEDORA-2018-a32082df51, openSUSE-SU-2018:0736-1, openSUSE-SU-2018:0765-1, openSUSE-SU-2018:0890-1, RHSA-2018:2511-01, RHSA-2018:2566-01, USN-3589-1, VIGILANCE-VUL-25416.

Description of the vulnerability

An attacker can define SQL functions with the same names than built-in functions of PostgreSQL, in order to make users run them with their own privileges.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2018-1052

PostgreSQL: information disclosure

Synthesis of the vulnerability

Impacted products: PostgreSQL.
Severity: 2/4.
Consequences: data reading.
Provenance: intranet client.
Confidence: confirmed by the editor (5/5).
Creation date: 09/02/2018.
Identifiers: CVE-2018-1052, VIGILANCE-VUL-25265.

Description of the vulnerability

An attacker can bypass access restrictions to data of PostgreSQL, in order to obtain sensitive information.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability announce CVE-2018-1053

PostgreSQL: password disclosure via pg_upgrade

Synthesis of the vulnerability

Impacted products: Debian, openSUSE Leap, PostgreSQL, RHEL, Ubuntu, WindRiver Linux.
Severity: 2/4.
Consequences: data reading.
Provenance: user shell.
Confidence: confirmed by the editor (5/5).
Creation date: 08/02/2018.
Identifiers: CVE-2018-1053, DLA-1271-1, openSUSE-SU-2018:0523-1, openSUSE-SU-2018:0529-1, openSUSE-SU-2018:0688-1, RHSA-2018:2511-01, RHSA-2018:2566-01, USN-3564-1, VIGILANCE-VUL-25242.

Description of the vulnerability

The tool "pg_upgrade" creates world readable temporary files including passwords.
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability CVE-2017-12172 CVE-2017-15098 CVE-2017-15099

PostgreSQL: three vulnerabilities

Synthesis of the vulnerability

Impacted products: Debian, Fedora, Junos Space, openSUSE Leap, PostgreSQL, RHEL, Ubuntu.
Severity: 2/4.
Consequences: data reading, data creation/edition, data deletion.
Provenance: user account.
Confidence: confirmed by the editor (5/5).
Creation date: 09/11/2017.
Identifiers: CVE-2017-12172, CVE-2017-15098, CVE-2017-15099, DSA-4027-1, DSA-4028-1, FEDORA-2017-0188f21212, FEDORA-2017-1f1fdab532, FEDORA-2017-783a436ee8, JSA10838, openSUSE-SU-2017:3425-1, openSUSE-SU-2018:0095-1, openSUSE-SU-2018:0529-1, RHSA-2017:3402-01, RHSA-2017:3403-01, RHSA-2017:3404-01, RHSA-2017:3405-01, RHSA-2018:2511-01, RHSA-2018:2566-01, USN-3479-1, VIGILANCE-VUL-24405.

Description of the vulnerability

An attacker can use several vulnerabilities of PostgreSQL.
Complete Vigil@nce bulletin.... (Free trial)

vulnerability bulletin CVE-2017-7546 CVE-2017-7547 CVE-2017-7548

PostgreSQL: three vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of PostgreSQL.
Impacted products: Debian, Fedora, openSUSE Leap, PostgreSQL, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu, WindRiver Linux.
Severity: 2/4.
Consequences: user access/rights, data reading.
Provenance: user account.
Confidence: confirmed by the editor (5/5).
Creation date: 10/08/2017.
Identifiers: CVE-2017-7546, CVE-2017-7547, CVE-2017-7548, DLA-1051-1, DSA-3935-1, DSA-3936-1, FEDORA-2017-9148fe36b9, FEDORA-2017-d9cac37bd8, FEDORA-2017-f9e66916ec, openSUSE-SU-2017:2306-1, openSUSE-SU-2017:2391-1, openSUSE-SU-2017:2392-1, openSUSE-SU-2018:0529-1, RHSA-2017:2677-01, RHSA-2017:2678-01, RHSA-2017:2728-01, RHSA-2017:2860-01, SUSE-SU-2017:2236-1, SUSE-SU-2017:2258-1, SUSE-SU-2017:2355-1, SUSE-SU-2017:2356-1, USN-3390-1, VIGILANCE-VUL-23493.

Description of the vulnerability

Several vulnerabilities were announced in PostgreSQL.

An attacker can bypass security features via Libpq Empty Passwords, in order to escalate his privileges. [severity:2/4; CVE-2017-7546]

An attacker can bypass security features via pg_user_mappings.umoptions, in order to obtain sensitive information. [severity:2/4; CVE-2017-7547]

An attacker can bypass security features via lo_put(), in order to escalate his privileges. [severity:2/4; CVE-2017-7548]
Complete Vigil@nce bulletin.... (Free trial)

vulnerability note CVE-2017-7484 CVE-2017-7485 CVE-2017-7486

PostgreSQL: three vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of PostgreSQL.
Impacted products: Debian, Fedora, openSUSE Leap, PostgreSQL, RHEL.
Severity: 2/4.
Consequences: privileged access/rights, data reading.
Provenance: user account.
Confidence: confirmed by the editor (5/5).
Creation date: 11/05/2017.
Identifiers: CVE-2017-7484, CVE-2017-7485, CVE-2017-7486, DLA-1051-1, DSA-3851-1, FEDORA-2017-0d5817efc0, FEDORA-2017-4de07172f4, FEDORA-2017-a8f4562bf5, openSUSE-SU-2017:1495-1, openSUSE-SU-2017:1772-1, RHSA-2017:1677-01, RHSA-2017:1678-01, RHSA-2017:1983-01, VIGILANCE-VUL-22714.

Description of the vulnerability

Several vulnerabilities were announced in PostgreSQL.

An attacker can bypass security features via Selectivity Estimators, in order to escalate his privileges. [severity:2/4; CVE-2017-7484]

An attacker can act as a Man-in-the-Middle via libpq, in order to read or write data in the session. [severity:2/4; CVE-2017-7485]

An attacker can bypass security features via pg_user_mappings, in order to obtain sensitive information. [severity:2/4; CVE-2017-7486]
Complete Vigil@nce bulletin.... (Free trial)

computer vulnerability note CVE-2016-5423 CVE-2016-5424

PostgreSQL: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of PostgreSQL.
Impacted products: Debian, Fedora, openSUSE, openSUSE Leap, PostgreSQL, Puppet, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: privileged access/rights, denial of service on service.
Provenance: user account.
Confidence: confirmed by the editor (5/5).
Creation date: 11/08/2016.
Identifiers: CERTFR-2016-AVI-281, CVE-2016-5423, CVE-2016-5424, DLA-592-1, DSA-3646-1, FEDORA-2016-30b01bdedd, FEDORA-2016-5486a6dfc0, openSUSE-SU-2016:2425-1, openSUSE-SU-2016:2464-1, openSUSE-SU-2017:1021-1, RHSA-2016:1781-01, RHSA-2016:1820-01, RHSA-2016:1821-01, RHSA-2016:2606-02, SUSE-SU-2016:2414-1, SUSE-SU-2016:2415-1, SUSE-SU-2016:2418-1, USN-3066-1, VIGILANCE-VUL-20369.

Description of the vulnerability

Several vulnerabilities were announced in PostgreSQL.

An attacker can trigger a fatal error via Nested CASE, in order to trigger a denial of service. [severity:1/4; CVE-2016-5423]

An attacker can use a database or role name with injected commands, which are run by administrative operations such as pg_dumpall, in order to run privileged code. [severity:2/4; CVE-2016-5424]
Complete Vigil@nce bulletin.... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about PostgreSQL: