CVE-2018-10915

Name of the Vulnerable Software and Affected Versions Postgresql versions prior to 10.5 Postgresql versions prior to 9.6.10 Postgresql versions prior to 9.5.14 Postgresql versions prior to 9.4.19 Postgresql versions prior to 9.3.24

Description A vulnerability was found in libpq, the default PostgreSQL client library, where it failed to properly reset its internal state between connections. If an affected version of libpq was used with host or hostaddr connection parameters from untrusted input, attackers could bypass client-side connection security features, obtain access to higher privileged connections, or potentially cause other impact through SQL injection by causing the PQescape() function to malfunction.

Recommendations For versions prior to 10.5, update to version 10.5 or later. For versions prior to 9.6.10, update to version 9.6.10 or later. For versions prior to 9.5.14, update to version 9.5.14 or later. For versions prior to 9.4.19, update to version 9.4.19 or later. For versions prior to 9.3.24, update to version 9.3.24 or later. As a temporary workaround, consider restricting the use of the host and hostaddr connection parameters to trusted input only, until a patch is available.