The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of PostgreSQL

vulnerability bulletin CVE-2019-10164

PostgreSQL: buffer overflow via Password Change

Synthesis of the vulnerability

An attacker can trigger a buffer overflow via Password Change of PostgreSQL, in order to trigger a denial of service, and possibly to run code.
Impacted products: openSUSE Leap, PostgreSQL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: user access/rights, denial of service on service.
Provenance: user account.
Creation date: 20/06/2019.
Identifiers: CVE-2019-10164, openSUSE-SU-2019:1773-1, SUSE-SU-2019:1783-1, SUSE-SU-2019:1783-2, SUSE-SU-2019:1810-1, USN-4027-1, VIGILANCE-VUL-29583.

Description of the vulnerability

An attacker can trigger a buffer overflow via Password Change of PostgreSQL, in order to trigger a denial of service, and possibly to run code.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2019-10129

PostgreSQL: information disclosure via INSERT requests

Synthesis of the vulnerability

A local attacker can read a memory fragment via INSERT of PostgreSQL, in order to obtain sensitive information.
Impacted products: PostgreSQL, Ubuntu.
Severity: 1/4.
Consequences: data reading.
Provenance: user account.
Creation date: 10/05/2019.
Revision date: 10/05/2019.
Identifiers: CVE-2019-10129, USN-3972-1, VIGILANCE-VUL-29263.

Description of the vulnerability

A local attacker can read a memory fragment via INSERT of PostgreSQL, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2019-10130

PostgreSQL: information disclosure via indexes

Synthesis of the vulnerability

An attacker can use some operators in a SQL request to PostgreSQL, in order to obtain retrieve some values from a forbidden column.
Impacted products: Debian, openSUSE Leap, PostgreSQL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights, data reading.
Provenance: user account.
Creation date: 10/05/2019.
Revision date: 10/05/2019.
Identifiers: CVE-2019-10130, DSA-4439-1, openSUSE-SU-2019:1578-1, openSUSE-SU-2019:1668-1, openSUSE-SU-2019:1773-1, SUSE-SU-2019:1511-1, SUSE-SU-2019:1687-1, SUSE-SU-2019:1810-1, USN-3972-1, VIGILANCE-VUL-29262.

Description of the vulnerability

An attacker can use some operators in a SQL request to PostgreSQL, in order to obtain retrieve some values from a forbidden column.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2019-10127 CVE-2019-10128

PostgreSQL: privilege escalation via the Windows installer

Synthesis of the vulnerability

The PostgreSQL installer for MS-Windows does not rightly define some permissions.
Impacted products: Debian, PostgreSQL.
Severity: 2/4.
Consequences: administrator access/rights, privileged access/rights.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 2.
Creation date: 10/05/2019.
Identifiers: CVE-2019-10127, CVE-2019-10128, DLA-1784-1, VIGILANCE-VUL-29264.

Description of the vulnerability

The PostgreSQL installer for MS-Windows does not rightly define some permissions.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2018-16850

PostgreSQL: SQL injection via pg_upgrade/pg_dump

Synthesis of the vulnerability

An attacker can use a SQL injection via pg_upgrade/pg_dump of PostgreSQL, in order to read or alter data.
Impacted products: Debian, Unisphere EMC, openSUSE Leap, PostgreSQL, Puppet, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: data reading, data creation/edition, data deletion.
Provenance: user account.
Creation date: 08/11/2018.
Revision date: 09/11/2018.
Identifiers: 528379, CVE-2018-16850, DLA-1642-1, DSA-2018-208, openSUSE-SU-2018:3893-1, openSUSE-SU-2018:4031-1, RHSA-2018:3757-01, SUSE-SU-2018:3770-1, SUSE-SU-2018:3770-2, USN-3818-1, VIGILANCE-VUL-27738.

Description of the vulnerability

The PostgreSQL product uses a database.

However, user's data are directly inserted in a SQL query.

An attacker can therefore use a SQL injection via pg_upgrade/pg_dump of PostgreSQL, in order to read or alter data.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2018-10925

PostgreSQL: information disclosure via CONFLICT DO UPDATE

Synthesis of the vulnerability

A local attacker can read a memory fragment via CONFLICT DO UPDATE of PostgreSQL, in order to obtain sensitive information.
Impacted products: Debian, Unisphere EMC, Fedora, openSUSE Leap, PostgreSQL, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: data reading.
Provenance: user account.
Creation date: 10/08/2018.
Identifiers: 528379, CVE-2018-10925, DSA-2018-208, DSA-4269-1, FEDORA-2018-d8f5aea89d, openSUSE-SU-2018:2599-1, openSUSE-SU-2018:3449-1, RHSA-2018:2511-01, RHSA-2018:2565-01, RHSA-2018:2566-01, SUSE-SU-2018:2564-1, SUSE-SU-2018:3377-1, USN-3744-1, VIGILANCE-VUL-26960.

Description of the vulnerability

A local attacker can read a memory fragment via CONFLICT DO UPDATE of PostgreSQL, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2018-10915

PostgreSQL: privilege escalation via Libpq Host Connection Parameters

Synthesis of the vulnerability

An attacker can bypass restrictions via Libpq Host Connection Parameters of PostgreSQL, in order to escalate his privileges.
Impacted products: Debian, Unisphere EMC, VNX Operating Environment, VNX Series, Fedora, openSUSE Leap, PostgreSQL, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: privileged access/rights, user access/rights.
Provenance: intranet client.
Creation date: 10/08/2018.
Identifiers: 528379, CVE-2018-10915, DLA-1464-1, DSA-2018-208, DSA-2019-131, DSA-4269-1, FEDORA-2018-d8f5aea89d, openSUSE-SU-2018:2599-1, openSUSE-SU-2018:3449-1, openSUSE-SU-2018:4007-1, RHSA-2018:2511-01, RHSA-2018:2557-01, RHSA-2018:2565-01, RHSA-2018:2566-01, SUSE-SU-2018:2564-1, SUSE-SU-2018:3287-1, SUSE-SU-2018:3377-1, SUSE-SU-2018:3909-1, USN-3744-1, VIGILANCE-VUL-26959.

Description of the vulnerability

An attacker can bypass restrictions via Libpq Host Connection Parameters of PostgreSQL, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2018-1115

PostgreSQL: log rotation via adminpack pg_logfile_rotate

Synthesis of the vulnerability

An attacker can bypass restrictions via adminpack pg_logfile_rotate() of PostgreSQL, in order to rotate logs.
Impacted products: Fedora, openSUSE Leap, PostgreSQL, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 1/4.
Consequences: data creation/edition, data deletion.
Provenance: user shell.
Creation date: 11/05/2018.
Identifiers: CVE-2018-1115, FEDORA-2018-08550a9006, FEDORA-2018-937c789f2a, FEDORA-2018-bd6f9237b5, openSUSE-SU-2018:1709-1, openSUSE-SU-2018:1900-1, openSUSE-SU-2018:2599-1, RHSA-2018:2565-01, RHSA-2018:2566-01, SUSE-SU-2018:1695-1, SUSE-SU-2018:2564-1, VIGILANCE-VUL-26093.

Description of the vulnerability

An attacker can bypass restrictions via adminpack pg_logfile_rotate() of PostgreSQL, in order to rotate logs.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2018-1058

PostgreSQL: privilege escalation via function search paths

Synthesis of the vulnerability

An attacker can define SQL functions with the same names than built-in functions of PostgreSQL, in order to make users run them with their own privileges.
Impacted products: VNX Operating Environment, VNX Series, Fedora, openSUSE Leap, PostgreSQL, RHEL, Ubuntu.
Severity: 2/4.
Consequences: privileged access/rights, user access/rights.
Provenance: user account.
Creation date: 02/03/2018.
Identifiers: CVE-2018-1058, DSA-2019-131, FEDORA-2018-2999cf6426, FEDORA-2018-a32082df51, openSUSE-SU-2018:0736-1, openSUSE-SU-2018:0765-1, openSUSE-SU-2018:0890-1, RHSA-2018:2511-01, RHSA-2018:2566-01, USN-3589-1, VIGILANCE-VUL-25416.

Description of the vulnerability

An attacker can define SQL functions with the same names than built-in functions of PostgreSQL, in order to make users run them with their own privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2018-1052

PostgreSQL: information disclosure

Synthesis of the vulnerability

An attacker can bypass access restrictions to data of PostgreSQL, in order to obtain sensitive information.
Impacted products: PostgreSQL.
Severity: 2/4.
Consequences: data reading.
Provenance: intranet client.
Creation date: 09/02/2018.
Identifiers: CVE-2018-1052, VIGILANCE-VUL-25265.

Description of the vulnerability

An attacker can bypass access restrictions to data of PostgreSQL, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about PostgreSQL: