Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
6.5
CVSSv2

CVE-2019-10208

Published: 29/10/2019 Updated: 17/08/2020
CVSS v2 Base Score: 6.5 | Impact Score: 6.4 | Exploitability Score: 8
CVSS v3 Base Score: 8.8 | Impact Score: 5.9 | Exploitability Score: 2.8
VMScore: 578
Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P
Subscribe to Postgresql

Vulnerability Summary

A flaw exists in postgresql versions 9.4.x prior to 9.4.24, 9.5.x prior to 9.5.19, 9.6.x prior to 9.6.15, 10.x prior to 10.10 and 11.x prior to 11.5 where arbitrary SQL statements can be executed given a suitable SECURITY DEFINER function. An attacker, with EXECUTE permission on the function, can execute arbitrary SQL as the owner of the function.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

postgresql postgresql

Vendor Advisories

Ubuntu Security Notice: postgresql-10, postgresql-11, postgresql-9.5 vulnerabilities
Several security issues were fixed in PostgreSQL ...
Debian Security Advisories: DSA-4492-1 postgresql-9.6 -- security update
A issue has been discovered in the PostgreSQL database system, which could result in privilege escalation For additional information please refer to the upstream announcement at wwwpostgresqlorg/about/news/1960/ For the oldstable distribution (stretch), these problems have been fixed in version 9615-0+deb9u1 We recommend that you upgr ...
Debian Security Advisories: DSA-4493-1 postgresql-11 -- security update
Two security issues have been discovered in the PostgreSQL database system, which could result in privilege escalation, denial of service or memory disclosure For additional information please refer to the upstream announcement at wwwpostgresqlorg/about/news/1960/ For the stable distribution (buster), these problems have been fixed in ve ...
Red Hat: Important: postgresql:9.6 security update
Synopsis Important: postgresql:96 security update Type/Severity Security Advisory: Important Topic An update for the postgresql:96 module is now available for Red Hat Enterprise Linux 82 Extended Update SupportRed Hat Product Security has rated this update as having a security impact of Important A Com ...
Red Hat: Important: postgresql:10 security update
Synopsis Important: postgresql:10 security update Type/Severity Security Advisory: Important Topic An update for the postgresql:10 module is now available for Red Hat Enterprise Linux 81 Extended Update SupportRed Hat Product Security has rated this update as having a security impact of Important A Commo ...
Red Hat: Moderate: postgresql:10 security and bug fix update
Synopsis Moderate: postgresql:10 security and bug fix update Type/Severity Security Advisory: Moderate Topic An update for the postgresql:10 module is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability S ...
Red Hat: Important: postgresql:9.6 security update
Synopsis Important: postgresql:96 security update Type/Severity Security Advisory: Important Topic An update for the postgresql:96 module is now available for Red Hat Enterprise Linux 81 Extended Update SupportRed Hat Product Security has rated this update as having a security impact of Important A Com ...
Red Hat: Moderate: rh-postgresql96-postgresql security update
Synopsis Moderate: rh-postgresql96-postgresql security update Type/Severity Security Advisory: Moderate Topic An update for rh-postgresql96-postgresql is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerabil ...
Red Hat: Important: postgresql:10 security update
Synopsis Important: postgresql:10 security update Type/Severity Security Advisory: Important Topic An update for the postgresql:10 module is now available for Red Hat Enterprise Linux 80 Update Services for SAP SolutionsRed Hat Product Security has rated this update as having a security impact of Importan ...
Red Hat: Important: postgresql:9.6 security update
Synopsis Important: postgresql:96 security update Type/Severity Security Advisory: Important Topic An update for the postgresql:96 module is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring ...
Red Hat: Important: postgresql:9.6 security update
Synopsis Important: postgresql:96 security update Type/Severity Security Advisory: Important Topic An update for the postgresql:96 module is now available for Red Hat Enterprise Linux 80 Update Services for SAP SolutionsRed Hat Product Security has rated this update as having a security impact of Import ...
Amazon Linux 2: ALAS2-2021-1665
A flaw was discovered in postgresql where arbitrary SQL statements can be executed given a suitable SECURITY DEFINER function An attacker, with EXECUTE permission on the function, can execute arbitrary SQL as the owner of the function (CVE-2019-10208) A flaw was found in postgresql If a client application that creates additional database connect ...
Arch Linux Issues:
A security issue has been found in PostgreSQL < 115 where given a suitable SECURITY DEFINER function, an attacker can execute arbitrary SQL under the identity of the function owner An attack requires EXECUTE permission on the function, which must itself contain a function call having inexact argument type match For example, length('foo'::varc ...
Amazon Linux AMI: ALAS-2020-1441
A flaw was discovered in postgresql where arbitrary SQL statements can be executed given a suitable SECURITY DEFINER function An attacker, with EXECUTE permission on the function, can execute arbitrary SQL as the owner of the function (CVE-2019-10208) ...
Amazon Linux AMI: ALAS-2021-1519
A flaw was discovered in postgresql where arbitrary SQL statements can be executed given a suitable SECURITY DEFINER function An attacker, with EXECUTE permission on the function, can execute arbitrary SQL as the owner of the function (CVE-2019-10208) A flaw was found in postgresql If a client application that creates additional database connect ...
Amazon Linux AMI: ALAS-2020-1442
PostgreSQL maintains column statistics for tables Certain statistics, such as histograms and lists of most common values, contain values taken from the column PostgreSQL does not evaluate row security policies before consulting those statistics during query planning; an attacker can exploit this to read the most common values of certain columns ...
Amazon Linux AMI: ALAS-2020-1443
PostgreSQL maintains column statistics for tables Certain statistics, such as histograms and lists of most common values, contain values taken from the column PostgreSQL does not evaluate row security policies before consulting those statistics during query planning; an attacker can exploit this to read the most common values of certain columns ...
Brocade Security Advisories: Access Denied
Menu Log in ...
PostgreSQL CVE: CVE-2019-10208
Given a suitable SECURITY DEFINER function, an attacker can execute arbitrary SQL under the identity of the function owner An attack requires EXECUTE permission on the function, which must itself contain a function call having inexact argument type match For example, length('foo'::varchar) and length('foo') are inexact, while length('foo'::text ...

References

CWE-89https://www.postgresql.org/about/news/1960/https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10208http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00043.htmlhttps://usn.ubuntu.com/4090-1/https://nvd.nist.govhttps://www.postgresql.org/support/security/CVE-2019-10208/
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
blind SQL injectionSSRFbuffer overflowCVE-2023-28952CVE-2023-41822CVE-2024-27956CVE-2023-7028CVE-2024-34447CVE-2024-34460
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook