Your submission was sent successfully! Close

CVE-2019-10130

Published: 9 May 2019

A vulnerability was found in PostgreSQL versions 11.x up to excluding 11.3, 10.x up to excluding 10.8, 9.6.x up to, excluding 9.6.13, 9.5.x up to, excluding 9.5.17. PostgreSQL maintains column statistics for tables. Certain statistics, such as histograms and lists of most common values, contain values taken from the column. PostgreSQL does not evaluate row security policies before consulting those statistics during query planning; an attacker can exploit this to read the most common values of certain columns. Affected columns are those for which the attacker has SELECT privilege and for which, in an ordinary query, row-level security prunes the set of rows visible to the attacker.

Priority

Medium

CVSS 3 base score: 4.3

Status

Package Release Status
postgresql-10
Launchpad, Ubuntu, Debian
bionic
Released (10.8-0ubuntu0.18.04.1)
cosmic
Released (10.8-0ubuntu0.18.10.1)
disco Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (10.8)
xenial Does not exist

postgresql-11
Launchpad, Ubuntu, Debian
bionic Does not exist

cosmic Does not exist

disco
Released (11.3-0ubuntu0.19.04.1)
precise Does not exist

trusty Does not exist

upstream
Released (11.3)
xenial Does not exist

postgresql-9.1
Launchpad, Ubuntu, Debian
bionic Does not exist

cosmic Does not exist

disco Does not exist

precise Not vulnerable

trusty Does not exist

upstream Needs triage

xenial Does not exist

postgresql-9.3
Launchpad, Ubuntu, Debian
bionic Does not exist

cosmic Does not exist

disco Does not exist

precise Does not exist

trusty Not vulnerable

upstream Needs triage

xenial Does not exist

postgresql-9.5
Launchpad, Ubuntu, Debian
bionic Does not exist

cosmic Does not exist

disco Does not exist

precise Does not exist

trusty Does not exist

upstream
Released (9.5.17)
xenial
Released (9.5.17-0ubuntu0.16.04.1)