CVE-2019-10130

Publication date 9 May 2019

Last updated 24 July 2024


Ubuntu priority

Cvss 3 Severity Score

4.3 · Medium

Score breakdown

A vulnerability was found in PostgreSQL versions 11.x up to excluding 11.3, 10.x up to excluding 10.8, 9.6.x up to, excluding 9.6.13, 9.5.x up to, excluding 9.5.17. PostgreSQL maintains column statistics for tables. Certain statistics, such as histograms and lists of most common values, contain values taken from the column. PostgreSQL does not evaluate row security policies before consulting those statistics during query planning; an attacker can exploit this to read the most common values of certain columns. Affected columns are those for which the attacker has SELECT privilege and for which, in an ordinary query, row-level security prunes the set of rows visible to the attacker.

Status

Package Ubuntu Release Status
postgresql-10 19.04 disco Not in release
18.10 cosmic
Fixed 10.8-0ubuntu0.18.10.1
18.04 LTS bionic
Fixed 10.8-0ubuntu0.18.04.1
16.04 LTS xenial Not in release
14.04 LTS trusty Not in release
postgresql-11 19.04 disco
Fixed 11.3-0ubuntu0.19.04.1
18.10 cosmic Not in release
18.04 LTS bionic Not in release
16.04 LTS xenial Not in release
14.04 LTS trusty Not in release
postgresql-9.1 19.04 disco Not in release
18.10 cosmic Not in release
18.04 LTS bionic Not in release
16.04 LTS xenial Not in release
14.04 LTS trusty Not in release
postgresql-9.3 19.04 disco Not in release
18.10 cosmic Not in release
18.04 LTS bionic Not in release
16.04 LTS xenial Not in release
14.04 LTS trusty
Not affected
postgresql-9.5 19.04 disco Not in release
18.10 cosmic Not in release
18.04 LTS bionic Not in release
16.04 LTS xenial
Fixed 9.5.17-0ubuntu0.16.04.1
14.04 LTS trusty Not in release

Severity score breakdown

Parameter Value
Base score 4.3 · Medium
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Scope Unchanged
Confidentiality Low
Integrity impact None
Availability impact None
Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References

Related Ubuntu Security Notices (USN)

    • USN-3972-1
    • PostgreSQL vulnerabilities
    • 13 May 2019

Other references