CVE-2019-10130

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

A vulnerability was found in PostgreSQL versions 11.x up to excluding 11.3, 10.x up to excluding 10.8, 9.6.x up to, excluding 9.6.13, 9.5.x up to, excluding 9.5.17. PostgreSQL maintains column statistics for tables. Certain statistics, such as histograms and lists of most common values, contain values taken from the column. PostgreSQL does not evaluate row security policies before consulting those statistics during query planning; an attacker can exploit this to read the most common values of certain columns. Affected columns are those for which the attacker has SELECT privilege and for which, in an ordinary query, row-level security prunes the set of rows visible to the attacker.

References

http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00043.html

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10130

https://security.gentoo.org/glsa/202003-03

https://www.postgresql.org/about/news/1939/

Details

Source: MITRE

Published: 2019-07-30

Updated: 2020-09-30

Type: CWE-284

Risk Information

CVSS v2

Base Score: 4

Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 8

Severity: MEDIUM

CVSS v3

Base Score: 4.3

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Impact Score: 1.4

Exploitability Score: 2.8

Severity: MEDIUM

Tenable Plugins

View all (27 total)

IDNameProductFamilySeverity
150722Oracle Linux 7 : rh-postgresql10-postgresql (ELSA-2021-9290)NessusOracle Linux Local Security Checks
high
146009CentOS 8 : postgresql:9.6 (CESA-2020:5619)NessusCentOS Local Security Checks
high
145882CentOS 8 : postgresql:10 (CESA-2020:3669)NessusCentOS Local Security Checks
high
145243RHEL 8 : postgresql:10 (RHSA-2021:0166)NessusRed Hat Local Security Checks
high
145227RHEL 8 : postgresql:9.6 (RHSA-2021:0167)NessusRed Hat Local Security Checks
high
145043RHEL 8 : postgresql:9.6 (RHSA-2021:0164)NessusRed Hat Local Security Checks
high
144565Oracle Linux 8 : ELSA-2020-5619-1: / postgresql:9.6 (ELSA-2020-56191)NessusOracle Linux Local Security Checks
high
144560RHEL 8 : postgresql:9.6 (RHSA-2020:5661)NessusRed Hat Local Security Checks
high
144559RHEL 8 : postgresql:10 (RHSA-2020:5664)NessusRed Hat Local Security Checks
high
144395RHEL 8 : postgresql:9.6 (RHSA-2020:5619)NessusRed Hat Local Security Checks
high
141979Amazon Linux AMI : postgresql96 (ALAS-2020-1443)NessusAmazon Linux Local Security Checks
high
141944Amazon Linux AMI : postgresql95 (ALAS-2020-1442)NessusAmazon Linux Local Security Checks
high
140486Oracle Linux 8 : postgresql:10 (ELSA-2020-3669)NessusOracle Linux Local Security Checks
high
140398RHEL 8 : postgresql:10 (RHSA-2020:3669)NessusRed Hat Local Security Checks
high
139655openSUSE Security Update : postgresql96 / postgresql10 and postgresql12 (openSUSE-2020-1227)NessusSuSE Local Security Checks
high
134470GLSA-202003-03 : PostgreSQL: Multiple vulnerabilitiesNessusGentoo Local Security Checks
high
127752SUSE SLED15 / SLES15 Security Update : postgresql10 (SUSE-SU-2019:2012-1)NessusSuSE Local Security Checks
high
126905openSUSE Security Update : postgresql10 (openSUSE-2019-1773)NessusSuSE Local Security Checks
high
126618SUSE SLED15 / SLES15 Security Update : postgresql10 (SUSE-SU-2019:1810-1)NessusSuSE Local Security Checks
high
126369openSUSE Security Update : postgresql96 (openSUSE-2019-1668)NessusSuSE Local Security Checks
medium
126238SUSE SLED12 / SLES12 Security Update : postgresql96 (SUSE-SU-2019:1687-1)NessusSuSE Local Security Checks
medium
126039openSUSE Security Update : postgresql10 (openSUSE-2019-1578)NessusSuSE Local Security Checks
medium
125947SUSE SLED12 / SLES12 Security Update : postgresql10 (SUSE-SU-2019:1511-1)NessusSuSE Local Security Checks
medium
125264PostgreSQL 9.4.x < 9.4.22 / 9.5.x < 9.5.17 / 9.6.x < 9.6.13 / 10.x < 10.8 / 11.x < 11.3 Multiple vulnerabilitiesNessusDatabases
high
125025Ubuntu 16.04 LTS / 18.04 LTS / 18.10 / 19.04 : PostgreSQL vulnerabilities (USN-3972-1)NessusUbuntu Local Security Checks
medium
124788FreeBSD : PostgreSQL -- Selectivity estimators bypass row security policies (065890c3-725e-11e9-b0e1-6cc21735f730)NessusFreeBSD Local Security Checks
medium
124721Debian DSA-4439-1 : postgresql-9.6 - security updateNessusDebian Local Security Checks
medium