Red Hat update for postgresql



Published: 2018-12-03
Risk Low
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2018-16850
CWE-ID CWE-89
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Red Hat Enterprise Linux for x86_64
Operating systems & Components / Operating system

Vendor Red Hat Inc.

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) SQL injection

EUVDB-ID: #VU15796

Risk: Low

CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-16850

CWE-ID: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Exploit availability: No

Description

The vulnerability allows a remote authenticated attacker to execute arbitrary SQL commands in web application database.

The vulnerability exists due to insufficient sanitization of statements involving CREATE TRIGGER REFERENCING. A remote attacker can send a specially crafted HTTP request to vulnerable script and execute arbitrary SQL commands in web application database when running the pg_upgrade utility on the database or during a pg_dump utility dump/restore cycle.

Successful exploitation of the vulnerability may allow an attacker to gain administrative access to vulnerable web application.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Red Hat Enterprise Linux for x86_64: 7.0 - 7.6

External links

http://access.redhat.com/errata/RHSA-2018:3757


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###