CVE-2018-10915

EPSS 1.56%
Published 09.08.2018 20:29:00
Last modified 21.11.2024 03:42:17
Source secalert@redhat.com
Teams watchlist Login
Open Login

A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq was used with "host" or "hostaddr" connection parameters from untrusted input, attackers could bypass client-side connection security features, obtain access to higher privileged connections or potentially cause other impact through SQL injection, by causing the PQescape() functions to malfunction. Postgresql versions before 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 are affected.

Affected products Warnungen 0 Metrics 4 CWE 3 References 20

Data is provided by the National Vulnerability Database (NVD)

Redhat ≫ Openstack Version12

Redhat ≫ Openstack Version13

Redhat ≫ Virtualization Version4.0

Redhat ≫ Enterprise Linux Desktop Version7.0

Redhat ≫ Enterprise Linux Server Version7.0

Redhat ≫ Enterprise Linux Server Eus Version7.5

Redhat ≫ Enterprise Linux Workstation Version7.0

Canonical ≫ Ubuntu Linux Version14.04 SwEditionlts

Canonical ≫ Ubuntu Linux Version16.04 SwEditionlts

Canonical ≫ Ubuntu Linux Version18.04 SwEditionlts

Debian ≫ Debian Linux Version8.0

Debian ≫ Debian Linux Version9.0

Postgresql ≫ Postgresql Version >= 9.3.0 < 9.3.24

Postgresql ≫ Postgresql Version >= 9.4.0 < 9.4.19

Postgresql ≫ Postgresql Version >= 9.5.0 < 9.5.14

Postgresql ≫ Postgresql Version >= 9.6.0 < 9.6.10

Postgresql ≫ Postgresql Version >= 10.0 < 10.5

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	1.56%	0.809

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	1.6	5.9	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	6	6.8	6.4	AV:N/AC:M/Au:S/C:P/I:P/A:P
secalert@redhat.com	8.5	1.8	6	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-665 Improper Initialization

The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

https://access.redhat.com/errata/RHSA-2018:2729

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:2511

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:2566

Third Party Advisory

https://access.redhat.com/errata/RHSA-2018:3816

https://access.redhat.com/errata/RHSA-2018:2643

Third Party Advisory

http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00043.html

https://access.redhat.com/errata/RHSA-2018:2565

Third Party Advisory