National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Contains Software Flaws (CVE)
  • CPE Product Version: cpe:/a:postgresql:postgresql:10.7
There are 2 matching records.
Vuln ID Summary CVSS Severity
CVE-2019-10164

PostgreSQL versions 10.x before 10.9 and versions 11.x before 11.4 are vulnerable to a stack-based buffer overflow. Any authenticated user can overflow a stack-based buffer by changing the user's own password to a purpose-crafted value. This often suffices to execute arbitrary code as the PostgreSQL operating system account.

Published: June 26, 2019; 12:15:09 PM -04:00
V3: 8.8 HIGH
V2: 9.0 HIGH
CVE-2019-9193

** DISPUTED ** In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_read_server_files' group to execute arbitrary code in the context of the database's operating system user. This functionality is enabled by default and can be abused to run arbitrary operating system commands on Windows, Linux, and macOS. NOTE: Third parties claim/state this is not an issue because PostgreSQL functionality for ?COPY TO/FROM PROGRAM? is acting as intended. References state that in PostgreSQL, a superuser can execute commands as the server user without using the ?COPY FROM PROGRAM?. Furthermore, members in 'pg_read_server_files' can run commands only if either the 'pg_execute_server_program' role or superuser are granted.

Published: April 01, 2019; 05:30:45 PM -04:00
V3: 7.2 HIGH
V2: 9.0 HIGH