Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

CVE-2018-16850

Related Vulnerabilities: CVE-2018-16850  

A SQL Injection flaw has been discovered in PostgreSQL server in the way triggers that enable transition relations are dumped. The transition relation name is not correctly quoted and it may allow an attacker with CREATE privilege on some non-temporary schema or TRIGGER privilege on some table to create a malicious trigger that, when dumped and restored, would result in additional SQL statements being executed.

Source
A SQL Injection flaw has been discovered in PostgreSQL server in the way triggers that enable transition relations are dumped. The transition relation name is not correctly quoted and it may allow an attacker with CREATE privilege on some non-temporary schema or TRIGGER privilege on some table to create a malicious trigger that, when dumped and restored, would result in additional SQL statements being executed.

Find out more about CVE-2018-16850 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

This issue did not affect the versions of postgresql as shipped with Red Hat Enterprise Linux 5, 6, and 7 as they did not include support for triggers with referecing syntax, which was included in a later version of the program.

It also doesn't affect the versions of postgresql shipped with CloudForms 4.2, 4.5 and 4.6, and Satellite 5, for the same reason as above.

This issue did not affect the versions of postgresql shipped within Tower, as there is no code path for Tower users to call the CREATE statement.

CVSS v3 metrics

CVSS3 Base Score 8
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction Required
Scope Unchanged
Confidentiality High
Integrity Impact High
Availability Impact High

Red Hat Security Errata

Platform Errata Release Date
Red Hat Software Collections for Red Hat Enterprise Linux 7 (rh-postgresql10-postgresql) RHSA-2018:3757 2018-12-03

Affected Packages State

Platform Package State
Red Hat Virtualization 4 rh-postgresql95-postgresql Not affected
Red Hat Virtualization 4 postgresql Not affected
Red Hat Software Collections for Red Hat Enterprise Linux rh-postgresql95-postgresql Not affected
Red Hat Software Collections for Red Hat Enterprise Linux rh-postgresql96-postgresql Not affected
Red Hat Satellite 5 rh-postgresql95-postgresql Not affected
Red Hat Enterprise Linux 7 postgresql Not affected
Red Hat Enterprise Linux 6 postgresql Not affected
Red Hat Enterprise Linux 5 postgresql Not affected
Red Hat Ansible Tower 3 for RHEL 7 postgresql96-libs Not affected

External References

This page is generated automatically and has not been checked for errors or omissions.

For clarification or corrections please contact Red Hat Product Security.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started