CVE-2019-10208

Name
CVE-2019-10208
Description
A flaw was discovered in postgresql versions 9.4.x before 9.4.24, 9.5.x before 9.5.19, 9.6.x before 9.6.15, 10.x before 10.10 and 11.x before 11.5 where arbitrary SQL statements can be executed given a suitable SECURITY DEFINER function. An attacker, with EXECUTE permission on the function, can execute arbitrary SQL as the owner of the function.
NVD Severity
high
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Vendor Advisory https://www.postgresql.org/about/news/1960/
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10208
SUSE http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00043.html

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:* postgresql >= 11.0 < 11.5
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:* postgresql >= 10.0 < 10.10
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:* postgresql >= 9.6.0 < 9.6.15
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:* postgresql >= 9.5.0 < 9.5.19
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:* postgresql >= 9.4.0 < 9.4.24

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
postgresql15 edge-main 11.5-r0 None fixed
postgresql15 edge-community 11.5-r0 None fixed
postgresql15 3.20-main 11.5-r0 None fixed
postgresql15 3.19-main 11.5-r0 None fixed
postgresql15 3.18-main 11.5-r0 None fixed
postgresql15 3.17-main 11.5-r0 None fixed
postgresql14 edge-main 11.5-r0 None fixed
postgresql14 edge-community 11.5-r0 None fixed
postgresql14 3.20-community 11.5-r0 None fixed
postgresql14 3.19-community 11.5-r0 None fixed
postgresql14 3.18-main 11.5-r0 None fixed
postgresql14 3.17-main 11.5-r0 None fixed
postgresql edge-main 11.5-r0 None fixed
postgresql edge-main 11.4-r0 None possibly vulnerable
postgresql edge-main 11.3-r0 None possibly vulnerable
postgresql edge-main 11.1-r0 None possibly vulnerable
postgresql edge-main 10.5-r0 None possibly vulnerable
postgresql edge-main 10.4-r0 None possibly vulnerable
postgresql edge-main 10.3-r0 None possibly vulnerable
postgresql edge-main 10.2-r0 None possibly vulnerable
postgresql edge-main 10.1-r0 None possibly vulnerable
postgresql edge-main 9.6.4-r0 None possibly vulnerable
postgresql edge-main 9.6.3-r0 None possibly vulnerable
postgresql 3.12-main 11.5-r0 None fixed
postgresql 3.11-main 11.5-r0 None fixed
postgresql 3.10-main 11.5-r0 None fixed