CVE-2019-10208: SQL Injection
First published: Tue Jul 30 2019(Updated: )
A flaw was discovered in postgresql versions 9.4.x before 9.4.24, 9.5.x before 9.5.19, 9.6.x before 9.6.15, 10.x before 10.10 and 11.x before 11.5 where arbitrary SQL statements can be executed given a suitable SECURITY DEFINER function. An attacker, with EXECUTE permission on the function, can execute arbitrary SQL as the owner of the function.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/postgresql | <0:9.2.24-6.el7_9 | 0:9.2.24-6.el7_9 |
| redhat/rh-postgresql10-postgresql | <0:10.12-2.el7 | 0:10.12-2.el7 |
| redhat/rh-postgresql96-postgresql | <0:9.6.19-1.el7 | 0:9.6.19-1.el7 |
| redhat/postgresql | <11.5 | 11.5 |
| redhat/postgresql | <10.10 | 10.10 |
| redhat/postgresql | <9.6.15 | 9.6.15 |
| redhat/postgresql | <9.5.19 | 9.5.19 |
| redhat/postgresql | <9.4.24 | 9.4.24 |
| PostgreSQL PostgreSQL | >=9.4.0<9.4.24 | |
| PostgreSQL PostgreSQL | >=9.5.0<9.5.19 | |
| PostgreSQL PostgreSQL | >=9.6.0<9.6.15 | |
| PostgreSQL PostgreSQL | >=10.0<10.10 | |
| PostgreSQL PostgreSQL | >=11.0<11.5 |
Remedy
If your use case requires SECURITY DEFINER functions, please follow the advice below to write them safely so they do not rely on search_path and restrict the set of users which can access them. https://www.postgresql.org/docs/devel/sql-createfunction.html#SQL-CREATEFUNCTION-SECURITY
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00043.html
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10208
- https://www.postgresql.org/about/news/1960/
- https://access.redhat.com/security/cve/CVE-2007-2138
- https://www.postgresql.org/docs/devel/sql-createfunction.html#SQL-CREATEFUNCTION-SECURITY
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1739217
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1739211
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1739215
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=8673743
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=752fa3d
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=7da4619
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=2062007
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=21f94c5
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1734416#c12
- https://access.redhat.com/errata/RHSA-2020:3669
- https://access.redhat.com/security/cve/cve-2019-10208
- https://access.redhat.com/errata/RHSA-2020:4295
- https://access.redhat.com/errata/RHSA-2020:5619
- https://access.redhat.com/errata/RHSA-2020:5661
- https://access.redhat.com/errata/RHSA-2020:5664
- https://access.redhat.com/errata/RHSA-2021:0164
- https://access.redhat.com/errata/RHSA-2021:0166
- https://access.redhat.com/errata/RHSA-2021:0167
- https://access.redhat.com/errata/RHSA-2021:1512
- https://bugzilla.redhat.com/show_bug.cgi?id=1734416
- https://www.cve.org/CVERecord?id=CVE-2019-10208 https://nvd.nist.gov/vuln/detail/CVE-2019-10208 https://www.postgresql.org/about/news/1960/
- https://access.redhat.com/errata/RHSA-2020:0980
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the vulnerability ID for this flaw in PostgreSQL?
The vulnerability ID for this flaw in PostgreSQL is CVE-2019-10208.
What is the severity level of CVE-2019-10208?
CVE-2019-10208 has a severity level of high.
How can arbitrary SQL statements be executed in PostgreSQL due to this vulnerability?
Arbitrary SQL statements can be executed in PostgreSQL due to this vulnerability when a suitable SECURITY DEFINER function is provided.
Which versions of PostgreSQL are affected by CVE-2019-10208?
Versions 9.4.x, 9.5.x, 9.6.x, 10.x, and 11.x of PostgreSQL are affected by CVE-2019-10208.
Where can I find more information about CVE-2019-10208?
You can find more information about CVE-2019-10208 at the following references: [Reference 1](https://access.redhat.com/security/cve/CVE-2007-2138), [Reference 2](https://www.postgresql.org/docs/devel/sql-createfunction.html#SQL-CREATEFUNCTION-SECURITY), [Reference 3](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1739217).
- collector/redhat-cve
- agent/type
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- agent/references
- agent/severity
- agent/weakness
- agent/author
- agent/remedy
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-10208
- agent/software-canonical-lookup
- agent/tags
- agent/event
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/postgresql
- canonical/postgresql postgresql
- version/postgresql postgresql/9.4.0
- version/postgresql postgresql/9.5.0
- version/postgresql postgresql/9.6.0
- version/postgresql postgresql/10.0
- version/postgresql postgresql/11.0