CVE-2019-10208

CVE-2019-10208

Name

CVE-2019-10208

Description

A flaw was discovered in postgresql versions 9.4.x before 9.4.24, 9.5.x before 9.5.19, 9.6.x before 9.6.15, 10.x before 10.10 and 11.x before 11.5 where arbitrary SQL statements can be executed given a suitable SECURITY DEFINER function. An attacker, with EXECUTE permission on the function, can execute arbitrary SQL as the owner of the function.

NVD Severity

high

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
Vendor Advisory	https://www.postgresql.org/about/news/1960/
Issue Tracking	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10208
SUSE	http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00043.html

Type

URI

Vendor Advisory

https://www.postgresql.org/about/news/1960/

Issue Tracking

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10208

SUSE

http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00043.html

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:postgresql:postgresql::::::::`	postgresql	>= 11.0	< 11.5
`cpe:2.3:a:postgresql:postgresql::::::::`	postgresql	>= 10.0	< 10.10
`cpe:2.3:a:postgresql:postgresql::::::::`	postgresql	>= 9.6.0	< 9.6.15
`cpe:2.3:a:postgresql:postgresql::::::::`	postgresql	>= 9.5.0	< 9.5.19
`cpe:2.3:a:postgresql:postgresql::::::::`	postgresql	>= 9.4.0	< 9.4.24

CPE URI

Source package

Min version

Max version