high
8.8
CWE
89
Advisory Published
CVE Published
CVE Published
Updated

CVE-2019-10208: SQL Injection

First published: Tue Jul 30 2019(Updated: )

A flaw was discovered in postgresql versions 9.4.x before 9.4.24, 9.5.x before 9.5.19, 9.6.x before 9.6.15, 10.x before 10.10 and 11.x before 11.5 where arbitrary SQL statements can be executed given a suitable SECURITY DEFINER function. An attacker, with EXECUTE permission on the function, can execute arbitrary SQL as the owner of the function.

Credit: secalert@redhat.com

Affected SoftwareAffected VersionHow to fix
redhat/postgresql<0:9.2.24-6.el7_9
0:9.2.24-6.el7_9
redhat/rh-postgresql10-postgresql<0:10.12-2.el7
0:10.12-2.el7
redhat/rh-postgresql96-postgresql<0:9.6.19-1.el7
0:9.6.19-1.el7
redhat/postgresql<11.5
11.5
redhat/postgresql<10.10
10.10
redhat/postgresql<9.6.15
9.6.15
redhat/postgresql<9.5.19
9.5.19
redhat/postgresql<9.4.24
9.4.24
PostgreSQL PostgreSQL>=9.4.0<9.4.24
PostgreSQL PostgreSQL>=9.5.0<9.5.19
PostgreSQL PostgreSQL>=9.6.0<9.6.15
PostgreSQL PostgreSQL>=10.0<10.10
PostgreSQL PostgreSQL>=11.0<11.5

Remedy

If your use case requires SECURITY DEFINER functions, please follow the advice below to write them safely so they do not rely on search_path and restrict the set of users which can access them. https://www.postgresql.org/docs/devel/sql-createfunction.html#SQL-CREATEFUNCTION-SECURITY

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

  • What is the vulnerability ID for this flaw in PostgreSQL?

    The vulnerability ID for this flaw in PostgreSQL is CVE-2019-10208.

  • What is the severity level of CVE-2019-10208?

    CVE-2019-10208 has a severity level of high.

  • How can arbitrary SQL statements be executed in PostgreSQL due to this vulnerability?

    Arbitrary SQL statements can be executed in PostgreSQL due to this vulnerability when a suitable SECURITY DEFINER function is provided.

  • Which versions of PostgreSQL are affected by CVE-2019-10208?

    Versions 9.4.x, 9.5.x, 9.6.x, 10.x, and 11.x of PostgreSQL are affected by CVE-2019-10208.

  • Where can I find more information about CVE-2019-10208?

    You can find more information about CVE-2019-10208 at the following references: [Reference 1](https://access.redhat.com/security/cve/CVE-2007-2138), [Reference 2](https://www.postgresql.org/docs/devel/sql-createfunction.html#SQL-CREATEFUNCTION-SECURITY), [Reference 3](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1739217).

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203