CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS
Percentile
66.0%
The PostgreSQL project reports:
CVE-2018-10915: Certain host connection parameters defeat
client-side security defenses
libpq, the client connection API for PostgreSQL that is also used
by other connection libraries, had an internal issue where it did not
reset all of its connection state variables when attempting to
reconnect. In particular, the state variable that determined whether
or not a password is needed for a connection would not be reset, which
could allow users of features requiring libpq, such as the “dblink” or
“postgres_fdw” extensions, to login to servers they should not be able
to access.
CVE-2018-10925: Memory disclosure and missing authorization in
INSERT ... ON CONFLICT DO UPDATE
An attacker able to issue CREATE TABLE can read arbitrary bytes of
server memory using an upsert (INSERT ... ON CONFLICT DO UPDATE
)
query. By default, any user can exploit that. A user that has
specific INSERT privileges and an UPDATE privilege on at least one
column in a given table can also update other columns using a view and
an upsert query.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
FreeBSD | any | noarch | postgresql10-server | < 10.5 | UNKNOWN |
FreeBSD | any | noarch | postgresql96-server | < 9.6.10 | UNKNOWN |
FreeBSD | any | noarch | postgresql95-server | < 9.5.14 | UNKNOWN |
FreeBSD | any | noarch | postgresql94-server | < 9.4.19 | UNKNOWN |
FreeBSD | any | noarch | postgresql93-server | < 9.3.24 | UNKNOWN |
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS
Percentile
66.0%