CVE-2019-10164 – postgresql: Stack-based buffer overflow via setting a password
https://notcve.org/view.php?id=CVE-2019-10164
PostgreSQL versions 10.x before 10.9 and versions 11.x before 11.4 are vulnerable to a stack-based buffer overflow. Any authenticated user can overflow a stack-based buffer by changing the user's own password to a purpose-crafted value. This often suffices to execute arbitrary code as the PostgreSQL operating system account. Las versiones 10.x de PostgreSQL anteriores a 10.9 y 11.x anteriores a 11.4 son vulnerables a un desbordamiento de búfer basado en pilas. Cualquier usuario autenticado puede desbordar un búfer basado en pila cambiando la propia contraseña del usuario a un valor diseñado específicamente. • http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00035.html https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10164 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MAGE6H4FWLKFLHLWVYNPYGQRPIXTUWGB https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TTKEHXGDXYYD6WYDIIQJP4GDQJSENDJK https://security.gentoo.org/glsa/202003-03 https://www.postgresql.org/about/news/1949 https://access.redhat.com/security/cve/CVE-2019- • CWE-121: Stack-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVE-2019-10129
https://notcve.org/view.php?id=CVE-2019-10129
A vulnerability was found in postgresql versions 11.x prior to 11.3. Using a purpose-crafted insert to a partitioned table, an attacker can read arbitrary bytes of server memory. In the default configuration, any user can create a partitioned table suitable for this attack. (Exploit prerequisites are the same as for CVE-2018-1052). Se detectó una vulnerabilidad en postgresql versiones 11.x anteriores a 11.3. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10129 https://security.gentoo.org/glsa/202003-03 https://www.postgresql.org/about/news/1939 • CWE-125: Out-of-bounds Read •
CVE-2019-10130 – postgresql: Selectivity estimators bypass row security policies
https://notcve.org/view.php?id=CVE-2019-10130
A vulnerability was found in PostgreSQL versions 11.x up to excluding 11.3, 10.x up to excluding 10.8, 9.6.x up to, excluding 9.6.13, 9.5.x up to, excluding 9.5.17. PostgreSQL maintains column statistics for tables. Certain statistics, such as histograms and lists of most common values, contain values taken from the column. PostgreSQL does not evaluate row security policies before consulting those statistics during query planning; an attacker can exploit this to read the most common values of certain columns. Affected columns are those for which the attacker has SELECT privilege and for which, in an ordinary query, row-level security prunes the set of rows visible to the attacker. • http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00043.html https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10130 https://security.gentoo.org/glsa/202003-03 https://www.postgresql.org/about/news/1939 https://access.redhat.com/security/cve/CVE-2019-10130 https://bugzilla.redhat.com/show_bug.cgi?id=1707109 • CWE-284: Improper Access Control •
CVE-2019-9193 – PostgreSQL 9.3 - COPY FROM PROGRAM Command Execution
https://notcve.org/view.php?id=CVE-2019-9193
In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_server_program' group to execute arbitrary code in the context of the database's operating system user. This functionality is enabled by default and can be abused to run arbitrary operating system commands on Windows, Linux, and macOS. NOTE: Third parties claim/state this is not an issue because PostgreSQL functionality for ‘COPY TO/FROM PROGRAM’ is acting as intended. References state that in PostgreSQL, a superuser can execute commands as the server user without using the ‘COPY FROM PROGRAM’. ** EN DISPUTA ** En PostgreSQL 9.3 a 11.2, la función "COPIAR HACIA / DESDE EL PROGRAMA" permite a los superusuarios y usuarios en el grupo 'pg_execute_server_program' ejecutar código arbitrario en el contexto del usuario del sistema operativo de la base de datos. Esta funcionalidad está habilitada de manera predeterminada y se puede abusar para ejecutar comandos arbitrarios del sistema operativo en Windows, Linux y macOS. • https://www.exploit-db.com/exploits/46813 https://github.com/b4keSn4ke/CVE-2019-9193 https://github.com/paulotrindadec/CVE-2019-9193 https://github.com/chromanite/CVE-2019-9193-PostgreSQL-9.3-11.7 http://packetstormsecurity.com/files/152757/PostgreSQL-COPY-FROM-PROGRAM-Command-Execution.html http://packetstormsecurity.com/files/166540/PostgreSQL-11.7-Remote-Code-Execution.html http://packetstormsecurity.com/files/171722/PostgreSQL-9.6.1-Remote-Code-Execution.html https://blog.hagander.net/when-a • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2018-16850 – postgresql: SQL injection in pg_upgrade and pg_dump, via CREATE TRIGGER ... REFERENCING
https://notcve.org/view.php?id=CVE-2018-16850
postgresql before versions 11.1, 10.6 is vulnerable to a to SQL injection in pg_upgrade and pg_dump via CREATE TRIGGER ... REFERENCING. Using a purpose-crafted trigger definition, an attacker can cause arbitrary SQL statements to run, with superuser privileges. postgresql en versiones anteriores a la 11.1 y 10.6 es vulnerable a una inyección SQL en pg_upgrade y pg_dump mediante CREATE TRIGGER ... REFERENCING. Mediante una definición de detonador manipulado para tal propósito, un atacante puede provocar que la ejecución con privilegios de superusuario de instrucciones SQL. • http://www.securityfocus.com/bid/105923 http://www.securitytracker.com/id/1042144 https://access.redhat.com/errata/RHSA-2018:3757 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16850 https://security.gentoo.org/glsa/201811-24 https://usn.ubuntu.com/3818-1 https://www.postgresql.org/about/news/1905 https://access.redhat.com/security/cve/CVE-2018-16850 https://bugzilla.redhat.com/show_bug.cgi?id=1645937 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •