#VU20004 Information disclosure in PostgreSQL - CVE-2019-10209

Cybersecurity Help s.r.o.

Published: 2019-08-08

Vulnerability identifier: #VU20004

Vulnerability risk: Low

CVSSv4.0: 0.6 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2019-10209

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PostgreSQL
Server applications / Database software

Vendor: PostgreSQL Global Development Group

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to way PostgreSQL processes user-defined hash equality operators. A remote attacker can under certain circumstances read arbitrary bytes from server memory.

Note, exploitation of this vulnerability requires a superuser to create unusual operators.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

PostgreSQL: 11.0 - 11.4

External links
https://www.postgresql.org/about/news/1960/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

OpenSUSE Linux update for SUSE Manager Client Tools

Arch Linux update for postgresql-libs

Arch Linux update for postgresql

Fedora 29 update for postgresql

Information disclosure in postgresql (Alpine package)

Debian update for postgresql-11

Fedora 30 update for libpq, postgresql

Ubuntu update for PostgreSQL

Multiple vulnerabilities in PostgreSQL