Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2018-1058: PostgreSQL 10.3, 9.6.8, 9.5.12, 9.4.17, and 9.3.22 released!

A flaw was found in the way Postgresql allowed a user to modify the behavior of a query for other users. An attacker with a user account could use this flaw to execute code with the permissions of superuser in the database. Versions 9.3 through 10 are affected.

CVE
#sql#vulnerability#windows#postgres

Posted on 2018-03-01 by PostgreSQL Global Development Group

PostgreSQL Project

2018-03-01 Security Update Release

The PostgreSQL Global Development Group has released an update to all supported versions of the PostgreSQL database system, including 10.3, 9.6.8, 9.5.12, 9.4.17, and 9.3.22.

The purpose of this release is to address CVE-2018-1058, which describes how a user can create like-named objects in different schemas that can change the behavior of other users’ queries and cause unexpected or malicious behavior, also known as a “trojan-horse” attack. Most of this release centers around added documentation that describes the issue and how to take steps to mitigate the impact on PostgreSQL databases.

We strongly encourage all of our users to please visit A Guide to CVE-2018-1058: Protect Your Search Path for a detailed explanation of CVE-2018-1058 and how to protect your PostgreSQL installations.

After evaluating the documentation for CVE-2018-1058, a database administrator may need to take follow up steps on their PostgreSQL installations to ensure they are protected from exploitation.

Security Issues

One security vulnerability is addressed in this release:

  • CVE-2018-1058: Uncontrolled search path element in pg_dump and other client applications

Please visit A Guide to CVE-2018-1058: Protect Your Search Path for a full explanation of the CVE-2018-1058.

Bug Fixes and Improvements

This update fixes several bugs reported since the last cumulative update. Some of these issues affect only version 10, but many affect all supported versions. These fixes include:

  • Prevent logical replication from trying to replicate changes for unpublishable relations, such as materialized views and the “information_schema” tables
  • Fix for a common table expression (WITH clause) returning correct results when being referenced in a subplan where there are concurrent-update rechecks
  • Fix for an unexpected query planner error in certain cases where there are overlapping merge join clauses in an OUTER JOIN.
  • Fix for potential data corruption with materialized views after running pg_upgrade. If receiving errors such as “could not access status of transaction” or “found xmin from before relfrozenxid” on materialized views, please use “REFRESH MATERIALIZED VIEW” without “CONCURRENTLY” to fix.
  • Several fix for pg_dump, including a fix to help with the future work of cross-table statistics
  • Fix for reporting a PL/Python stack trace relative to inner PL/Python functions
  • Allow contrib/auto_explain to range up to INT_MAX, which is about 24 days
  • Mark assorted configuration variables as PGDLLIMPORT, to ease porting extension modules to Windows

Acknowledgements

The PostgreSQL Global Development Group would like to thank Arseniy Sharoglazov for reporting CVE-2018-1058 to the security team.

Links

  • A Guide to CVE-2018-1058: Protect Your Search Path
  • Download
  • Release Notes
  • Security Page
  • Versioning Policy

Related news

CVE-2023-33837: Security Bulletin: IBM Security Verify Governance is affected by multiple vulnerabilities

IBM Security Verify Governance 10.0 does not encrypt sensitive or critical information before storage or transmission. IBM X-Force ID: 256020.

CVE-2023-28864: Chef Infra Server Release Notes

Progress Chef Infra Server before 15.7 allows a local attacker to exploit a /var/opt/opscode/local-mode-cache/backup world-readable temporary backup path to access sensitive information, resulting in the disclosure of all indexed node data, because OpenSearch credentials are exposed. (The data typically includes credentials for additional systems.) The attacker must wait for an admin to run the "chef-server-ctl reconfigure" command.

CVE-2020-25695: PostgreSQL: Security Information

A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. An attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL functions under the identity of a superuser. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907