Alpine: postgresql: security update to 11.2-r1 (deprecated)

high Tenable Self-Hosted Container Security Plugin ID 400508

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- A vulnerability was found in postgresql versions 11.x prior to 11.3. The Windows installer for BigSQL-
supplied PostgreSQL does not lock down the ACL of the binary installation directory or the ACL of the data
directory; it keeps the inherited ACL. In the default configuration, an attacker having both an
unprivileged Windows account and an unprivileged PostgreSQL account can cause the PostgreSQL service
account to execute arbitrary code. An attacker having only the unprivileged Windows account can read
arbitrary data directory files, essentially bypassing database-imposed read access limitations. An
attacker having only the unprivileged Windows account can also delete certain data directory files.
(CVE-2019-10127)

- A vulnerability was found in postgresql versions 11.x prior to 11.3. The Windows installer for
EnterpriseDB-supplied PostgreSQL does not lock down the ACL of the binary installation directory or the
ACL of the data directory; it keeps the inherited ACL. In the default configuration, this allows a local
attacker to read arbitrary data directory files, essentially bypassing database-imposed read access
limitations. In plausible non-default configurations, an attacker having both an unprivileged Windows
account and an unprivileged PostgreSQL account can cause the PostgreSQL service account to execute
arbitrary code. (CVE-2019-10128)

- A vulnerability was found in postgresql versions 11.x prior to 11.3. Using a purpose-crafted insert to a
partitioned table, an attacker can read arbitrary bytes of server memory. In the default configuration,
any user can create a partitioned table suitable for this attack. (Exploit prerequisites are the same as
for CVE-2018-1052). (CVE-2019-10129)

- A vulnerability was found in PostgreSQL versions 11.x up to excluding 11.3, 10.x up to excluding 10.8,
9.6.x up to, excluding 9.6.13, 9.5.x up to, excluding 9.5.17. PostgreSQL maintains column statistics for
tables. Certain statistics, such as histograms and lists of most common values, contain values taken from
the column. PostgreSQL does not evaluate row security policies before consulting those statistics during
query planning; an attacker can exploit this to read the most common values of certain columns. Affected
columns are those for which the attacker has SELECT privilege and for which, in an ordinary query, row-
level security prunes the set of rows visible to the attacker. (CVE-2019-10130)

See Also

https://git.alpinelinux.org/aports/commit/?id=06fca9ff59d1c02e24c448c7c99a5fb9fa35a0b3

https://git.alpinelinux.org/aports/commit/?id=7cf139bac41c8f2e1885d5f99334daeaeb059ac3

Plugin Details

Severity: High

ID: 400508

Version: Revision 1.23

Type: Local

Published: 8/16/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 95.11

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.4

Vector: CVSS2#AV:L/AC:L/Au:S/C:P/I:P/A:P

CVSS Score Source: CVE-2019-10127

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/11/2019

Vulnerability Publication Date: 5/9/2019

Reference Information

CVE: CVE-2019-10127, CVE-2019-10128, CVE-2019-10129, CVE-2019-10130

BID: 108452, 108506, 108515, 108519

IAVB: 2019-B-0040-S