Alpine: postgresql: security update to 10.5-r0

high Tenable Self-Hosted Container Security Plugin ID 406457

Description

There are packages installed that are affected by multiple vulnerabilities referenced in the following CVEs:

- A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly
reset its internal state between connections. If an affected version of libpq was used with "host" or
"hostaddr" connection parameters from untrusted input, attackers could bypass client-side connection
security features, obtain access to higher privileged connections or potentially cause other impact
through SQL injection, by causing the PQescape() functions to malfunction. Postgresql versions before
10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 are affected. (CVE-2018-10915)

- It was discovered that PostgreSQL versions before 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 failed to
properly check authorization on certain statements involved with "INSERT ... ON CONFLICT DO UPDATE". An
attacker with "CREATE TABLE" privileges could exploit this to read arbitrary bytes server memory. If the
attacker also had certain "INSERT" and limited "UPDATE" privileges to a particular table, they could
exploit this to update other columns in the same table. (CVE-2018-10925)

See Also

https://security.alpinelinux.org/vuln/CVE-2018-10915

https://security.alpinelinux.org/vuln/CVE-2018-10925

Plugin Details

Severity: High

ID: 406457

Version: Revision 1.27

Type: Local

Published: 10/31/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

CVSS v2

Risk Factor: Medium

Base Score: 6

Temporal Score: 4.4

Vector: CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P

CVSS Score Source: CVE-2018-10915

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS Score Source: CVE-2018-10925

Vulnerability Information

Exploit Ease: No known exploits are available

Vulnerability Publication Date: 8/9/2018

Reference Information

CVE: CVE-2018-10915, CVE-2018-10925

BID: 105052, 105054

IAVB: 2018-B-0101-S