The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of PostgreSQL

computer vulnerability bulletin CVE-2018-16850

PostgreSQL: SQL injection via pg_upgrade/pg_dump

Synthesis of the vulnerability

An attacker can use a SQL injection via pg_upgrade/pg_dump of PostgreSQL, in order to read or alter data.
Impacted products: Debian, Unisphere EMC, openSUSE Leap, PostgreSQL, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: data reading, data creation/edition, data deletion.
Provenance: internet client.
Creation date: 08/11/2018.
Revision date: 09/11/2018.
Identifiers: 528379, CVE-2018-16850, DLA-1642-1, DSA-2018-208, openSUSE-SU-2018:3893-1, openSUSE-SU-2018:4031-1, RHSA-2018:3757-01, SUSE-SU-2018:3770-1, SUSE-SU-2018:3770-2, USN-3818-1, VIGILANCE-VUL-27738.

Description of the vulnerability

The PostgreSQL product uses a database.

However, user's data are directly inserted in a SQL query.

An attacker can therefore use a SQL injection via pg_upgrade/pg_dump of PostgreSQL, in order to read or alter data.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2018-10925

PostgreSQL: information disclosure via CONFLICT DO UPDATE

Synthesis of the vulnerability

A local attacker can read a memory fragment via CONFLICT DO UPDATE of PostgreSQL, in order to obtain sensitive information.
Impacted products: Debian, Unisphere EMC, Fedora, openSUSE Leap, PostgreSQL, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: data reading.
Provenance: user account.
Creation date: 10/08/2018.
Identifiers: 528379, CVE-2018-10925, DSA-2018-208, DSA-4269-1, FEDORA-2018-d8f5aea89d, openSUSE-SU-2018:2599-1, openSUSE-SU-2018:3449-1, RHSA-2018:2511-01, RHSA-2018:2565-01, RHSA-2018:2566-01, SUSE-SU-2018:2564-1, SUSE-SU-2018:3377-1, USN-3744-1, VIGILANCE-VUL-26960.

Description of the vulnerability

A local attacker can read a memory fragment via CONFLICT DO UPDATE of PostgreSQL, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2018-10915

PostgreSQL: privilege escalation via Libpq Host Connection Parameters

Synthesis of the vulnerability

An attacker can bypass restrictions via Libpq Host Connection Parameters of PostgreSQL, in order to escalate his privileges.
Impacted products: Debian, Unisphere EMC, Fedora, openSUSE Leap, PostgreSQL, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu, WindRiver Linux.
Severity: 2/4.
Consequences: privileged access/rights, user access/rights.
Provenance: intranet client.
Creation date: 10/08/2018.
Identifiers: 528379, CVE-2018-10915, DLA-1464-1, DSA-2018-208, DSA-4269-1, FEDORA-2018-d8f5aea89d, openSUSE-SU-2018:2599-1, openSUSE-SU-2018:3449-1, openSUSE-SU-2018:4007-1, RHSA-2018:2511-01, RHSA-2018:2557-01, RHSA-2018:2565-01, RHSA-2018:2566-01, SUSE-SU-2018:2564-1, SUSE-SU-2018:3287-1, SUSE-SU-2018:3377-1, SUSE-SU-2018:3909-1, USN-3744-1, VIGILANCE-VUL-26959.

Description of the vulnerability

An attacker can bypass restrictions via Libpq Host Connection Parameters of PostgreSQL, in order to escalate his privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2018-1115

PostgreSQL: log rotation via adminpack pg_logfile_rotate

Synthesis of the vulnerability

An attacker can bypass restrictions via adminpack pg_logfile_rotate() of PostgreSQL, in order to rotate logs.
Impacted products: Fedora, openSUSE Leap, PostgreSQL, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 1/4.
Consequences: data creation/edition, data deletion.
Provenance: user shell.
Creation date: 11/05/2018.
Identifiers: CVE-2018-1115, FEDORA-2018-08550a9006, FEDORA-2018-937c789f2a, FEDORA-2018-bd6f9237b5, openSUSE-SU-2018:1709-1, openSUSE-SU-2018:1900-1, openSUSE-SU-2018:2599-1, RHSA-2018:2565-01, RHSA-2018:2566-01, SUSE-SU-2018:1695-1, SUSE-SU-2018:2564-1, VIGILANCE-VUL-26093.

Description of the vulnerability

An attacker can bypass restrictions via adminpack pg_logfile_rotate() of PostgreSQL, in order to rotate logs.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2018-1058

PostgreSQL: privilege escalation via function search paths

Synthesis of the vulnerability

An attacker can define SQL functions with the same names than built-in functions of PostgreSQL, in order to make users run them with their own privileges.
Impacted products: Fedora, openSUSE Leap, PostgreSQL, RHEL, Ubuntu.
Severity: 2/4.
Consequences: privileged access/rights, user access/rights.
Provenance: user account.
Creation date: 02/03/2018.
Identifiers: CVE-2018-1058, FEDORA-2018-2999cf6426, FEDORA-2018-a32082df51, openSUSE-SU-2018:0736-1, openSUSE-SU-2018:0765-1, openSUSE-SU-2018:0890-1, RHSA-2018:2511-01, RHSA-2018:2566-01, USN-3589-1, VIGILANCE-VUL-25416.

Description of the vulnerability

An attacker can define SQL functions with the same names than built-in functions of PostgreSQL, in order to make users run them with their own privileges.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2018-1052

PostgreSQL: information disclosure

Synthesis of the vulnerability

An attacker can bypass access restrictions to data of PostgreSQL, in order to obtain sensitive information.
Impacted products: PostgreSQL.
Severity: 2/4.
Consequences: data reading.
Provenance: intranet client.
Creation date: 09/02/2018.
Identifiers: CVE-2018-1052, VIGILANCE-VUL-25265.

Description of the vulnerability

An attacker can bypass access restrictions to data of PostgreSQL, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2018-1053

PostgreSQL: password disclosure via pg_upgrade

Synthesis of the vulnerability

The tool "pg_upgrade" creates world readable temporary files including passwords.
Impacted products: Debian, openSUSE Leap, PostgreSQL, RHEL, Ubuntu, WindRiver Linux.
Severity: 2/4.
Consequences: data reading.
Provenance: user shell.
Creation date: 08/02/2018.
Identifiers: CVE-2018-1053, DLA-1271-1, openSUSE-SU-2018:0523-1, openSUSE-SU-2018:0529-1, openSUSE-SU-2018:0688-1, RHSA-2018:2511-01, RHSA-2018:2566-01, USN-3564-1, VIGILANCE-VUL-25242.

Description of the vulnerability

The tool "pg_upgrade" creates world readable temporary files including passwords.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2017-12172 CVE-2017-15098 CVE-2017-15099

PostgreSQL: three vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of PostgreSQL.
Impacted products: Debian, Fedora, Junos Space, openSUSE Leap, PostgreSQL, RHEL, Ubuntu.
Severity: 2/4.
Consequences: data reading, data creation/edition, data deletion.
Provenance: user account.
Number of vulnerabilities in this bulletin: 3.
Creation date: 09/11/2017.
Identifiers: CVE-2017-12172, CVE-2017-15098, CVE-2017-15099, DSA-4027-1, DSA-4028-1, FEDORA-2017-0188f21212, FEDORA-2017-1f1fdab532, FEDORA-2017-783a436ee8, JSA10838, openSUSE-SU-2017:3425-1, openSUSE-SU-2018:0095-1, openSUSE-SU-2018:0529-1, RHSA-2017:3402-01, RHSA-2017:3403-01, RHSA-2017:3404-01, RHSA-2017:3405-01, RHSA-2018:2511-01, RHSA-2018:2566-01, USN-3479-1, VIGILANCE-VUL-24405.

Description of the vulnerability

An attacker can use several vulnerabilities of PostgreSQL.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2017-7546 CVE-2017-7547 CVE-2017-7548

PostgreSQL: three vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of PostgreSQL.
Impacted products: Debian, Fedora, openSUSE Leap, PostgreSQL, RHEL, SUSE Linux Enterprise Desktop, SLES, Ubuntu, WindRiver Linux.
Severity: 2/4.
Consequences: user access/rights, data reading.
Provenance: user account.
Number of vulnerabilities in this bulletin: 3.
Creation date: 10/08/2017.
Identifiers: CVE-2017-7546, CVE-2017-7547, CVE-2017-7548, DLA-1051-1, DSA-3935-1, DSA-3936-1, FEDORA-2017-9148fe36b9, FEDORA-2017-d9cac37bd8, FEDORA-2017-f9e66916ec, openSUSE-SU-2017:2306-1, openSUSE-SU-2017:2391-1, openSUSE-SU-2017:2392-1, openSUSE-SU-2018:0529-1, RHSA-2017:2677-01, RHSA-2017:2678-01, RHSA-2017:2728-01, RHSA-2017:2860-01, SUSE-SU-2017:2236-1, SUSE-SU-2017:2258-1, SUSE-SU-2017:2355-1, SUSE-SU-2017:2356-1, USN-3390-1, VIGILANCE-VUL-23493.

Description of the vulnerability

Several vulnerabilities were announced in PostgreSQL.

An attacker can bypass security features via Libpq Empty Passwords, in order to escalate his privileges. [severity:2/4; CVE-2017-7546]

An attacker can bypass security features via pg_user_mappings.umoptions, in order to obtain sensitive information. [severity:2/4; CVE-2017-7547]

An attacker can bypass security features via lo_put(), in order to escalate his privileges. [severity:2/4; CVE-2017-7548]
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2017-7484 CVE-2017-7485 CVE-2017-7486

PostgreSQL: three vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of PostgreSQL.
Impacted products: Debian, Fedora, openSUSE Leap, PostgreSQL, RHEL.
Severity: 2/4.
Consequences: privileged access/rights, data reading.
Provenance: user account.
Number of vulnerabilities in this bulletin: 3.
Creation date: 11/05/2017.
Identifiers: CVE-2017-7484, CVE-2017-7485, CVE-2017-7486, DLA-1051-1, DSA-3851-1, FEDORA-2017-0d5817efc0, FEDORA-2017-4de07172f4, FEDORA-2017-a8f4562bf5, openSUSE-SU-2017:1495-1, openSUSE-SU-2017:1772-1, RHSA-2017:1677-01, RHSA-2017:1678-01, RHSA-2017:1983-01, VIGILANCE-VUL-22714.

Description of the vulnerability

Several vulnerabilities were announced in PostgreSQL.

An attacker can bypass security features via Selectivity Estimators, in order to escalate his privileges. [severity:2/4; CVE-2017-7484]

An attacker can act as a Man-in-the-Middle via libpq, in order to read or write data in the session. [severity:2/4; CVE-2017-7485]

An attacker can bypass security features via pg_user_mappings, in order to obtain sensitive information. [severity:2/4; CVE-2017-7486]
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about PostgreSQL: