Multiple vulnerabilities in PostgreSQL



Published: 2018-02-09
Risk Low
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2018-1052
CVE-2018-1053
CWE-ID CWE-20
CWE-200
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		PostgreSQL
Server applications / Database software

Vendor PostgreSQL Global Development Group

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Denial of service

EUVDB-ID: #VU10437

Risk: Low

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-1052

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote authenticated attacker to cause DoS condition on the target system.

The weakness exists due to improper processing of partition keys that contains multiple expressions. A remote attacker can send specially crafted input and cause the application to crash.

Mitigation

Update to version 10.2.

Vulnerable software versions

PostgreSQL: 10.0 - 10.1

External links

http://www.postgresql.org/docs/current/static/release-10-2.html


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Information disclosure

EUVDB-ID: #VU10439

Risk: Low

CVSSv3.1: 3.8 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-1053

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

A vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.

The vulnerability exists due to insufficient security restrictions. A remote attacker can gain access to sensitive information.

Mitigation

Update to version 10.2.

Vulnerable software versions

PostgreSQL: 10.0 - 10.1

External links

http://www.postgresql.org/docs/current/static/release-10.html#id-1.11.6.7.5


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###