PT-2018-2615 · Postgresql+3 · Postgresql+3

Sam Fowler

Published

2018-07-30

Updated

2026-01-30

CVE-2018-16850

CVSS v3.1

8.0

High

Vector

AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions PostgreSQL versions prior to 11.1 PostgreSQL versions prior to 10.6

Description The issue is related to SQL injection in pg upgrade and pg dump via CREATE TRIGGER ... REFERENCING. An attacker can cause arbitrary SQL statements to run with superuser privileges by using a purpose-crafted trigger definition. The vulnerability is due to a lack of protection of the SQL query structure, allowing a remote attacker to execute arbitrary SQL commands.

Recommendations For versions prior to 11.1, update to version 11.1 or later to resolve the issue. For versions prior to 10.6, update to version 10.6 or later to resolve the issue. As a temporary workaround, consider restricting the use of CREATE TRIGGER ... REFERENCING in pg upgrade and pg dump until a patch is available.

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

ALT-PU-2018-2606

ALT-PU-2018-2607

ALT-PU-2018-2608

BDU:2019-01225

CLEANSTART-2026-FW42039

CLEANSTART-2026-HJ04971

CVE-2018-16850

OPENSUSE-SU-2018_3893-1

OPENSUSE-SU-2018_4031-1

OPENSUSE-SU-2024:11184-1

OPENSUSE-SU-2024:11185-1

RHSA-2018:3757

SUSE-SU-2018:3770-1

SUSE-SU-2018:3770-2

SUSE-SU-2018:3942-1

SUSE-SU-2018_3770-1

SUSE-SU-2018_3770-2

USN-3818-1

Affected Products

Alt Linux

Postgresql

Suse

Ubuntu

PT-2018-2615 · Postgresql+3 · Postgresql+3

CVE-2018-16850

Weakness Enumeration

Related Identifiers

Affected Products

References · 133