CVE-2019-10164
Published: 20 June 2019
PostgreSQL versions 10.x before 10.9 and versions 11.x before 11.4 are vulnerable to a stack-based buffer overflow. Any authenticated user can overflow a stack-based buffer by changing the user's own password to a purpose-crafted value. This often suffices to execute arbitrary code as the PostgreSQL operating system account.
Notes
Author | Note |
---|---|
mdeslaur | 10.x, 11.x and 12.x only |
Priority
Status
Package | Release | Status |
---|---|---|
postgresql-11 Launchpad, Ubuntu, Debian |
upstream |
Released
(11.4)
|
xenial |
Does not exist
|
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
disco |
Released
(11.4-0ubuntu0.19.04.1)
|
|
postgresql-10 Launchpad, Ubuntu, Debian |
upstream |
Released
(10.9)
|
xenial |
Does not exist
|
|
bionic |
Released
(10.9-0ubuntu0.18.04.1)
|
|
cosmic |
Released
(10.9-0ubuntu0.18.10.1)
|
|
disco |
Does not exist
|
|
postgresql-9.5 Launchpad, Ubuntu, Debian |
upstream |
Not vulnerable
|
xenial |
Not vulnerable
|
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
postgresql-9.3 Launchpad, Ubuntu, Debian |
upstream |
Not vulnerable
|
xenial |
Does not exist
|
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
postgresql-9.1 Launchpad, Ubuntu, Debian |
upstream |
Not vulnerable
|
xenial |
Does not exist
|
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 8.8 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | Low |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |