Vulnerability CVE-2019-10208: Information

Description

A flaw was discovered in postgresql versions 9.4.x before 9.4.24, 9.5.x before 9.5.19, 9.6.x before 9.6.15, 10.x before 10.10 and 11.x before 11.5 where arbitrary SQL statements can be executed given a suitable SECURITY DEFINER function. An attacker, with EXECUTE permission on the function, can execute arbitrary SQL as the owner of the function.

Severity: HIGH (8.8) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2019-10208

Published: Oct. 29, 2019

Modified: Aug. 17, 2020

Error type identifier: CWE-89

Fixed packages

Package name	Branch	Fixed in version	Version from repository	Errata ID	Task #	State
postgresql10	p10	10.10-alt1	10.23-alt1.p10.1	ALT-PU-2019-2387-1	235637	Fixed
postgresql10	p9	10.10-alt1	10.23-alt0.M90P.1	ALT-PU-2019-2429-1	235661	Fixed
postgresql10	p8	10.10-alt0.M80P.1	10.19-alt0.M80P.1	ALT-PU-2019-2460-1	235652	Fixed
postgresql10	c10f1	10.10-alt1	10.23-alt1	ALT-PU-2019-2387-1	235637	Fixed
postgresql10	c9f2	10.10-alt1	10.23-alt0.M90P.1	ALT-PU-2019-2429-1	235661	Fixed
postgresql11	p10	11.5-alt1	11.22-alt0.p10.1	ALT-PU-2019-2383-1	235637	Fixed
postgresql11	p9	11.5-alt1	11.22-alt0.M90P.1	ALT-PU-2019-2425-1	235661	Fixed
postgresql11	p8	11.5-alt0.M80P.1	11.14-alt0.M80P.1	ALT-PU-2019-2456-1	235652	Fixed
postgresql11	c10f1	11.5-alt1	11.22-alt0.p10.1	ALT-PU-2019-2383-1	235637	Fixed
postgresql11	c9f2	11.5-alt1	11.22-alt0.M90P.1	ALT-PU-2019-2425-1	235661	Fixed
postgresql9.4	p9	9.4.24-alt1	9.4.26-alt1	ALT-PU-2019-2426-1	235661	Fixed
postgresql9.4	p8	9.4.24-alt0.M80P.1	9.4.26-alt0.M80P.1	ALT-PU-2019-2457-1	235652	Fixed
postgresql9.4	c9f2	9.4.24-alt1	9.4.26-alt1	ALT-PU-2019-2426-1	235661	Fixed
postgresql9.5	p9	9.5.19-alt1	9.5.25-alt1	ALT-PU-2019-2427-1	235661	Fixed
postgresql9.5	p8	9.5.19-alt0.M80P.1	9.5.25-alt0.M80P.1	ALT-PU-2019-2458-1	235652	Fixed
postgresql9.5	c9f2	9.5.19-alt1	9.5.25-alt1	ALT-PU-2019-2427-1	235661	Fixed
postgresql9.5	c7	9.5.9-alt0.M70C.2	9.5.9-alt0.M70C.1	ALT-PU-2022-2732-1	306725	Fixed
postgresql9.6	p9	9.6.15-alt1	9.6.24-alt0.M90P.1	ALT-PU-2019-2428-1	235661	Fixed
postgresql9.6	p8	9.6.15-alt0.M80P.1	9.6.24-alt0.M80P.1	ALT-PU-2019-2459-1	235652	Fixed
postgresql9.6	c9f2	9.6.15-alt1	9.6.24-alt0.M90P.1	ALT-PU-2019-2428-1	235661	Fixed

References to Advisories, Solutions, and Tools

Hyperlink	Resource
https://www.postgresql.org/about/news/1960/	Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10208	Issue Tracking Third Party Advisory
openSUSE-SU-2020:1227

Affected configurations:
1. Configuration 1
  cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
  Start including
  9.5.0
  End excliding
  9.5.19
  cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
  Start including
  9.6.0
  End excliding
  9.6.15
  cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
  Start including
  10.0
  End excliding
  10.10
  cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
  Start including
  11.0
  End excliding
  11.5
  cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
  Start including
  9.4.0
  End excliding
  9.4.24

Version: v24.5.1

Vulnerability CVE-2019-10208: Information

Description

Fixed packages

References to Advisories, Solutions, and Tools

Configuration 1