CVE-2018-10925

postgresql: Missing authorization and memory disclosure in INSERT ... ON CONFLICT DO UPDATE statements

Severity Score

8.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

It was discovered that PostgreSQL versions before 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 failed to properly check authorization on certain statements involved with "INSERT ... ON CONFLICT DO UPDATE". An attacker with "CREATE TABLE" privileges could exploit this to read arbitrary bytes server memory. If the attacker also had certain "INSERT" and limited "UPDATE" privileges to a particular table, they could exploit this to update other columns in the same table.

Se ha descubierto que las versiones anteriores a la 10.5, 9.6.10, 9.5.14, 9.4.19 y 9.3.24 de PostgreSQL no comprobaron correctamente la autorización de ciertas instrucciones relacionadas con "INSERT ... ON CONFLICT DO UPDATE". Un atacante con privilegios "CREATE TABLE" podría explotar esta vulnerabilidad para leer bytes arbitrarios de la memoria del servidor. Si el atacante tiene también determinados privilegios "INSERT" y privilegios limitados "UPDATE" en una tabla en concreto, podría explotar esta vulnerabilidad para actualizar otras columnas en la misma tabla.

It was discovered that PostgreSQL failed to properly check authorization on certain statements involved with "INSERT ... ON CONFLICT DO UPDATE". An attacker with "CREATE TABLE" privileges could exploit this to read arbitrary bytes server memory. If the attacker also had certain "INSERT" and limited "UPDATE" privileges to a particular table, they could exploit this to update other columns in the same table.

Andrew Krasichkov discovered that the PostgreSQL client library incorrectly reset its internal state between connections. A remote attacker could possibly use this issue to bypass certain client-side connection security features. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. It was discovered that PostgreSQL incorrectly checked authorization on certain statements. A remote attacker could possibly use this issue to read arbitrary server memory or alter certain data. Various other issues were also addressed.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-05-09 CVE Reserved
2018-08-09 CVE Published
2024-08-05 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-863: Incorrect Authorization

CAPEC

References (14)

URL	Tag	Source
http://www.securityfocus.com/bid/105052	Third Party Advisory
http://www.securitytracker.com/id/1041446	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10925	2023-02-24

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00043.html	2023-02-24
https://access.redhat.com/errata/RHSA-2018:2511	2023-02-24
https://access.redhat.com/errata/RHSA-2018:2565	2023-02-24
https://access.redhat.com/errata/RHSA-2018:2566	2023-02-24
https://access.redhat.com/errata/RHSA-2018:3816	2023-02-24
https://security.gentoo.org/glsa/201810-08	2023-02-24
https://usn.ubuntu.com/3744-1	2023-02-24
https://www.debian.org/security/2018/dsa-4269	2023-02-24
https://www.postgresql.org/about/news/1878	2023-02-24
https://access.redhat.com/security/cve/CVE-2018-10925	2018-12-13
https://bugzilla.redhat.com/show_bug.cgi?id=1612619	2018-12-13

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				14.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "14.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				18.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04"		lts		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Postgresql Search vendor "Postgresql"		Postgresql Search vendor "Postgresql" for product "Postgresql"				>= 9.5.0 < 9.5.14 Search vendor "Postgresql" for product "Postgresql" and version " >= 9.5.0 < 9.5.14"		-		Affected
Postgresql Search vendor "Postgresql"		Postgresql Search vendor "Postgresql" for product "Postgresql"				>= 9.6.0 < 9.6.10 Search vendor "Postgresql" for product "Postgresql" and version " >= 9.6.0 < 9.6.10"		-		Affected
Postgresql Search vendor "Postgresql"		Postgresql Search vendor "Postgresql" for product "Postgresql"				>= 10.0 < 10.5 Search vendor "Postgresql" for product "Postgresql" and version " >= 10.0 < 10.5"		-		Affected