Your submission was sent successfully! Close

CVE-2018-16850

Published: 8 November 2018

postgresql before versions 11.1, 10.6 is vulnerable to a to SQL injection in pg_upgrade and pg_dump via CREATE TRIGGER ... REFERENCING. Using a purpose-crafted trigger definition, an attacker can cause arbitrary SQL statements to run, with superuser privileges.

Priority

Medium

CVSS 3 base score: 9.8

Status

Package Release Status
postgresql-10
Launchpad, Ubuntu, Debian
bionic
Released (10.6-0ubuntu0.18.04.1)
cosmic
Released (10.6-0ubuntu0.18.10.1)
precise Does not exist

trusty Does not exist

upstream
Released (10.6)
xenial Does not exist

postgresql-9.1
Launchpad, Ubuntu, Debian
bionic Does not exist

cosmic Does not exist

precise Not vulnerable

trusty Does not exist
(trusty was not-affected)
upstream Not vulnerable

xenial Does not exist

postgresql-9.3
Launchpad, Ubuntu, Debian
bionic Does not exist

cosmic Does not exist

precise Does not exist

trusty Not vulnerable

upstream Not vulnerable

xenial Does not exist

postgresql-9.5
Launchpad, Ubuntu, Debian
bionic Does not exist

cosmic Does not exist

precise Does not exist

trusty Does not exist

upstream Not vulnerable

xenial Not vulnerable