Alpine: postgresql: security update to 10.2-r0

high Tenable Self-Hosted Container Security Plugin ID 406454

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- Memory disclosure vulnerability in table partitioning was found in postgresql 10.x before 10.2, allowing
an authenticated attacker to read arbitrary bytes of server memory via purpose-crafted insert to a
partitioned table. (CVE-2018-1052)

- In postgresql 9.3.x before 9.3.21, 9.4.x before 9.4.16, 9.5.x before 9.5.11, 9.6.x before 9.6.7 and 10.x
before 10.2, pg_upgrade creates file in current working directory containing the output of `pg_dumpall -g`
under umask which was in effect when the user invoked pg_upgrade, and not under 0077 which is normally
used for other temporary files. This can allow an authenticated attacker to read or modify the one file,
which may contain encrypted or unencrypted database passwords. The attack is infeasible if a directory
mode blocks the attacker searching the current working directory or if the prevailing umask blocks the
attacker opening the file. (CVE-2018-1053)

See Also

https://security.alpinelinux.org/vuln/CVE-2018-1052

https://security.alpinelinux.org/vuln/CVE-2018-1053

Plugin Details

Severity: High

ID: 406454

Version: Revision 1.25

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

CVSS v2

Risk Factor: Medium

Base Score: 4

Temporal Score: 3

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS Score Source: CVE-2018-1052

CVSS v3

Risk Factor: High

Base Score: 7

Temporal Score: 6.1

Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2018-1053

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 2/8/2018

Reference Information

CVE: CVE-2018-1052, CVE-2018-1053

BID: 102986, 102987

IAVB: 2018-B-0024-S