#VU15796 SQL injection in PostgreSQL - CVE-2018-16850


| Updated: 2018-11-12

Vulnerability identifier: #VU15796

Vulnerability risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-16850

CWE-ID: CWE-89

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PostgreSQL
Server applications / Database software

Vendor: PostgreSQL Global Development Group

Description

The vulnerability allows a remote authenticated attacker to execute arbitrary SQL commands in web application database.

The vulnerability exists due to insufficient sanitization of statements involving CREATE TRIGGER REFERENCING. A remote attacker can send a specially crafted HTTP request to vulnerable script and execute arbitrary SQL commands in web application database when running the pg_upgrade utility on the database or during a pg_dump utility dump/restore cycle.

Successful exploitation of the vulnerability may allow an attacker to gain administrative access to vulnerable web application.

Mitigation
The vulnerability has been fixed in the versions 10.6, 11.1.

Vulnerable software versions

PostgreSQL: 10.0 - 11.0

External links
https://www.postgresql.org/about/news/1905/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


SQL injection in F5 BIG-IQ Centralized Management PostgreSQL component
OpenSUSE Linux update for postgresql10
Red Hat update for postgresql
OpenSUSE Linux update for postgresql10
SQL injection in PostgreSQL
SQL injection in postgresql (Alpine package)
Gentoo update for PostgreSQL