CVE-2019-10208

Name of the Vulnerable Software and Affected Versions postgresql versions 9.4.x before 9.4.24 postgresql versions 9.5.x before 9.5.19 postgresql versions 9.6.x before 9.6.15 postgresql versions 10.x before 10.10 postgresql versions 11.x before 11.5

Description A flaw in postgresql allows arbitrary SQL statements to be executed given a suitable SECURITY DEFINER function. An attacker with EXECUTE permission on the function can execute arbitrary SQL as the owner of the function. The vulnerability is related to the lack of protection of the SQL query structure in the SECURITY DEFINER function of the PostgreSQL database management system. Exploitation of the vulnerability can allow a remote attacker to execute arbitrary SQL commands.

Recommendations For postgresql versions 9.4.x before 9.4.24, update to version 9.4.24 or later. For postgresql versions 9.5.x before 9.5.19, update to version 9.5.19 or later. For postgresql versions 9.6.x before 9.6.15, update to version 9.6.15 or later. For postgresql versions 10.x before 10.10, update to version 10.10 or later. For postgresql versions 11.x before 11.5, update to version 11.5 or later. As a temporary workaround, consider restricting EXECUTE permission on SECURITY DEFINER functions to minimize the risk of exploitation.