CVE-2019-10164
Published: 20 June 2019
PostgreSQL versions 10.x before 10.9 and versions 11.x before 11.4 are vulnerable to a stack-based buffer overflow. Any authenticated user can overflow a stack-based buffer by changing the user's own password to a purpose-crafted value. This often suffices to execute arbitrary code as the PostgreSQL operating system account.
Priority
CVSS 3 base score: 8.8
Status
Package | Release | Status |
---|---|---|
postgresql-10 Launchpad, Ubuntu, Debian |
bionic |
Released
(10.9-0ubuntu0.18.04.1)
|
cosmic |
Released
(10.9-0ubuntu0.18.10.1)
|
|
disco |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(10.9)
|
|
xenial |
Does not exist
|
|
postgresql-11 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
cosmic |
Does not exist
|
|
disco |
Released
(11.4-0ubuntu0.19.04.1)
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(11.4)
|
|
xenial |
Does not exist
|
|
postgresql-9.1 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
precise |
Not vulnerable
|
|
trusty |
Does not exist
|
|
upstream |
Not vulnerable
|
|
xenial |
Does not exist
|
|
postgresql-9.3 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Not vulnerable
|
|
upstream |
Not vulnerable
|
|
xenial |
Does not exist
|
|
postgresql-9.5 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Not vulnerable
|
|
xenial |
Not vulnerable
|
Notes
Author | Note |
---|---|
mdeslaur | 10.x, 11.x and 12.x only |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10164
- https://www.postgresql.org/about/news/1949/
- https://ubuntu.com/security/notices/USN-4027-1
- NVD
- Launchpad
- Debian