CVE-2019-10208high
New! CVE Severity Now Using CVSS v3
The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.
Description
A flaw was discovered in postgresql versions 9.4.x before 9.4.24, 9.5.x before 9.5.19, 9.6.x before 9.6.15, 10.x before 10.10 and 11.x before 11.5 where arbitrary SQL statements can be executed given a suitable SECURITY DEFINER function. An attacker, with EXECUTE permission on the function, can execute arbitrary SQL as the owner of the function.
References
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00043.html
Details
Source: MITRE
Published: 2019-10-29
Updated: 2020-08-17
Type: CWE-89
Risk Information
CVSS v2
Base Score: 6.5
Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P
Impact Score: 6.4
Exploitability Score: 8
Severity: MEDIUM
CVSS v3
Base Score: 8.8
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Impact Score: 5.9
Exploitability Score: 2.8
Severity: HIGH
Vulnerable Software
Configuration 1
OR
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
Tenable Plugins
| ID | Name | Product | Family | Severity |
|---|---|---|---|---|
| 151513 | Amazon Linux AMI : postgresql92 (ALAS-2021-1519) | Nessus | Amazon Linux Local Security Checks | high |
| 150972 | Amazon Linux 2 : postgresql (ALAS-2021-1665) | Nessus | Amazon Linux Local Security Checks | high |
| 150771 | CentOS 7 : postgresql (CESA-2021:1512) | Nessus | CentOS Local Security Checks | high |
| 150722 | Oracle Linux 7 : rh-postgresql10-postgresql (ELSA-2021-9290) | Nessus | Oracle Linux Local Security Checks | high |
| 149321 | RHEL 7 : postgresql (RHSA-2021:1512) | Nessus | Red Hat Local Security Checks | high |
| 149316 | Oracle Linux 7 : postgresql (ELSA-2021-1512) | Nessus | Oracle Linux Local Security Checks | high |
| 146009 | CentOS 8 : postgresql:9.6 (CESA-2020:5619) | Nessus | CentOS Local Security Checks | high |
| 145882 | CentOS 8 : postgresql:10 (CESA-2020:3669) | Nessus | CentOS Local Security Checks | high |
| 145243 | RHEL 8 : postgresql:10 (RHSA-2021:0166) | Nessus | Red Hat Local Security Checks | high |
| 145227 | RHEL 8 : postgresql:9.6 (RHSA-2021:0167) | Nessus | Red Hat Local Security Checks | high |
| 145043 | RHEL 8 : postgresql:9.6 (RHSA-2021:0164) | Nessus | Red Hat Local Security Checks | high |
| 144565 | Oracle Linux 8 : ELSA-2020-5619-1: / postgresql:9.6 (ELSA-2020-56191) | Nessus | Oracle Linux Local Security Checks | high |
| 144560 | RHEL 8 : postgresql:9.6 (RHSA-2020:5661) | Nessus | Red Hat Local Security Checks | high |
| 144559 | RHEL 8 : postgresql:10 (RHSA-2020:5664) | Nessus | Red Hat Local Security Checks | high |
| 144395 | RHEL 8 : postgresql:9.6 (RHSA-2020:5619) | Nessus | Red Hat Local Security Checks | high |
| 141992 | Amazon Linux AMI : postgresql94 (ALAS-2020-1441) | Nessus | Amazon Linux Local Security Checks | high |
| 141979 | Amazon Linux AMI : postgresql96 (ALAS-2020-1443) | Nessus | Amazon Linux Local Security Checks | high |
| 141944 | Amazon Linux AMI : postgresql95 (ALAS-2020-1442) | Nessus | Amazon Linux Local Security Checks | high |
| 140486 | Oracle Linux 8 : postgresql:10 (ELSA-2020-3669) | Nessus | Oracle Linux Local Security Checks | high |
| 140398 | RHEL 8 : postgresql:10 (RHSA-2020:3669) | Nessus | Red Hat Local Security Checks | high |
| 139655 | openSUSE Security Update : postgresql96 / postgresql10 and postgresql12 (openSUSE-2020-1227) | Nessus | SuSE Local Security Checks | high |
| 132533 | Photon OS 2.0: Postgresql PHSA-2019-2.0-0190 | Nessus | PhotonOS Local Security Checks | high |
| 132526 | Photon OS 1.0: Postgresql PHSA-2019-1.0-0257 | Nessus | PhotonOS Local Security Checks | high |
| 130051 | SUSE SLED15 / SLES15 Security Update : postgresql10 (SUSE-SU-2019:2707-1) | Nessus | SuSE Local Security Checks | high |
| 129449 | EulerOS 2.0 SP8 : postgresql (EulerOS-SA-2019-2090) | Nessus | Huawei Local Security Checks | high |
| 128610 | SUSE SLES12 Security Update : postgresql94 (SUSE-SU-2019:2158-1) | Nessus | SuSE Local Security Checks | high |
| 128503 | openSUSE Security Update : postgresql10 (openSUSE-2019-2062) | Nessus | SuSE Local Security Checks | high |
| 128313 | SUSE SLED15 / SLES15 Security Update : postgresql10 (SUSE-SU-2019:2228-1) | Nessus | SuSE Local Security Checks | high |
| 128072 | SUSE SLES12 Security Update : postgresql96 (SUSE-SU-2019:2159-1) | Nessus | SuSE Local Security Checks | high |
| 127939 | Fedora 30 : libpq / postgresql (2019-986fce48b4) | Nessus | Fedora Local Security Checks | critical |
| 127934 | Fedora 29 : postgresql (2019-5fbbf73269) | Nessus | Fedora Local Security Checks | critical |
| 127905 | PostgreSQL 9.4.x < 9.4.24 / 9.5.x < 9.5.19 / 9.6.x < 9.6.15 / 10.x < 10.10 / 11.x < 11.5 Multiple Vulnerabilities | Nessus | Databases | critical |
| 127806 | Ubuntu 16.04 LTS / 18.04 LTS / 19.04 : postgresql-10, postgresql-11, postgresql-9.5 vulnerabilities (USN-4090-1) | Nessus | Ubuntu Local Security Checks | high |
| 127549 | FreeBSD : PostgresSQL -- TYPE in pg_temp execute arbitrary SQL during `SECURITY DEFINER` execution (9de4c1c1-b9ee-11e9-82aa-6cc21735f730) | Nessus | FreeBSD Local Security Checks | high |
| 127489 | Debian DSA-4493-1 : postgresql-11 - security update | Nessus | Debian Local Security Checks | high |
| 127488 | Debian DSA-4492-1 : postgresql-9.6 - security update | Nessus | Debian Local Security Checks | high |
| 127483 | Debian DLA-1874-1 : postgresql-9.4 security update | Nessus | Debian Local Security Checks | high |