CVE-2019-10130

Published: Jul 30, 2019

Modified: Aug 4, 2024

PUBLISHED

CVSS v3.0

3.1

LOW

Description

A vulnerability was found in PostgreSQL versions 11.x up to excluding 11.3, 10.x up to excluding 10.8, 9.6.x up to, excluding 9.6.13, 9.5.x up to, excluding 9.5.17. PostgreSQL maintains column statistics for tables. Certain statistics, such as histograms and lists of most common values, contain values taken from the column. PostgreSQL does not evaluate row security policies before consulting those statistics during query planning; an attacker can exploit this to read the most common values of certain columns. Affected columns are those for which the attacker has SELECT privilege and for which, in an ordinary query, row-level security prunes the set of rows visible to the attacker.

Vendor	Product	Versions
PostgreSQL Project	postgresql	affected `11.x up to, excluding 11.3` affected `10.x up to, excluding 10.8` affected `9.6.x up to, excluding 9.6.13` affected `9.5.x up to, excluding 9.5.17`

Weaknesses (CWE)

CWE-284

CVSS v3.0 Details

CVSS v3.0 Vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

References

https://www.postgresql.org/about/news/1939/

x_refsource_MISC

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10130

x_refsource_CONFIRM

GLSA-202003-03

vendor-advisory

x_refsource_GENTOO

openSUSE-SU-2020:1227

vendor-advisory

x_refsource_SUSE

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2019-10130

Description

Affected Products

Weaknesses (CWE)

CVSS v3.0 Details

References