Your submission was sent successfully! Close

CVE-2018-10925

Published: 9 August 2018

It was discovered that PostgreSQL versions before 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 failed to properly check authorization on certain statements involved with "INSERT ... ON CONFLICT DO UPDATE". An attacker with "CREATE TABLE" privileges could exploit this to read arbitrary bytes server memory. If the attacker also had certain "INSERT" and limited "UPDATE" privileges to a particular table, they could exploit this to update other columns in the same table.

Priority

Medium

CVSS 3 base score: 8.1

Status

Package Release Status
postgresql-10
Launchpad, Ubuntu, Debian
bionic
Released (10.5-0ubuntu0.18.04)
precise Does not exist

trusty Does not exist

upstream
Released (10.5-1)
xenial Does not exist

postgresql-9.1
Launchpad, Ubuntu, Debian
bionic Does not exist

precise Not vulnerable
(code not present)
trusty Does not exist
(trusty was not-affected [code not present])
upstream Not vulnerable
(code not present)
xenial Does not exist

postgresql-9.3
Launchpad, Ubuntu, Debian
bionic Does not exist

precise Does not exist

trusty Not vulnerable
(code not present)
upstream Not vulnerable
(code not present)
xenial Does not exist

postgresql-9.5
Launchpad, Ubuntu, Debian
bionic Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (9.5.14)
xenial
Released (9.5.14-0ubuntu0.16.04)