CVE-2018-16850

CVE-2018-16850

Name

CVE-2018-16850

Description

postgresql before versions 11.1, 10.6 is vulnerable to a to SQL injection in pg_upgrade and pg_dump via CREATE TRIGGER ... REFERENCING. Using a purpose-crafted trigger definition, an attacker can cause arbitrary SQL statements to run, with superuser privileges.

NVD Severity

high

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
Release Notes	https://www.postgresql.org/about/news/1905/
Issue Tracking	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16850
Third Party Advisory	https://usn.ubuntu.com/3818-1/
Third Party Advisory	http://www.securitytracker.com/id/1042144
Third Party Advisory	http://www.securityfocus.com/bid/105923
Mitigation	https://security.gentoo.org/glsa/201811-24
Third Party Advisory	https://access.redhat.com/errata/RHSA-2018:3757

Type

URI

Release Notes

https://www.postgresql.org/about/news/1905/

Issue Tracking

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16850

Third Party Advisory

https://usn.ubuntu.com/3818-1/

Third Party Advisory

http://www.securitytracker.com/id/1042144

Third Party Advisory

http://www.securityfocus.com/bid/105923

Mitigation

https://security.gentoo.org/glsa/201811-24

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:3757

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:postgresql:postgresql::::::::`	postgresql	>= 10.0	< 10.6
`cpe:2.3:a:postgresql:postgresql::::::::`	postgresql	>= 11.0	< 11.1
`cpe:2.3:a:postgresql:postgresql::::::::`	postgresql	>= 9.3.0	< 9.3.25
`cpe:2.3:a:postgresql:postgresql::::::::`	postgresql	>= 9.5.0	< 9.5.15
`cpe:2.3:a:postgresql:postgresql::::::::`	postgresql	>= 9.4.0	< 9.4.20
`cpe:2.3:a:postgresql:postgresql::::::::`	postgresql	>= 9.6.0	< 9.6.11

CPE URI

Source package

Min version

Max version