Main Vulnerability Database SB2018120302

SB2018120302 - Gentoo update for PostgreSQL

Published: February 3, 2018 Updated: December 3, 2018

Security Bulletin ID SB2018120302

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) SQL injection (CVE-ID: CVE-2018-16850)

The vulnerability allows a remote authenticated attacker to execute arbitrary SQL commands in web application database.

The vulnerability exists due to insufficient sanitization of statements involving CREATE TRIGGER REFERENCING. A remote attacker can send a specially crafted HTTP request to vulnerable script and execute arbitrary SQL commands in web application database when running the pg_upgrade utility on the database or during a pg_dump utility dump/restore cycle.

Successful exploitation of the vulnerability may allow an attacker to gain administrative access to vulnerable web application.

Remediation

Install update from vendor's website.

References

https://security.gentoo.org/glsa/201811-24