Multiple vulnerabilities in PostgreSQL

Published: 2018-02-09 12:20:04
Severity Low
Patch available YES
Number of vulnerabilities 2
CVE ID CVE-2018-1052
CVE-2018-1053
CVSSv3 5.5 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
3.6 [CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CWE ID CWE-20
CWE-200
Exploitation vector Network
Public exploit Not available
Vulnerable software PostgreSQL
Vulnerable software versions PostgreSQL 10.1
PostgreSQL 10.0
Vendor URL PostgreSQL Global Development Group

Security Advisory

1) Denial of service

Description

The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.

The weakness exists due to improper processing of partition keys that contains multiple expressions. A remote attacker can send specially crafted input and cause the application to crash.

Remediation

Update to version 10.2.

External links

https://www.postgresql.org/docs/current/static/release-10-2.html

2) Information disclosure

Description

A vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.

The vulnerability exists due to insufficient security restrictions. A remote attacker can gain access to sensitive information.

Remediation

Update to version 10.2.

External links

https://www.postgresql.org/docs/current/static/release-10.html#id-1.11.6.7.5

Back to List