CVE-2018-10915

CWE-89SQL InjectionCWE-200Information ExposureCWE-66511 documents7 sources
Severity
7.5HIGH
EPSS
1.8%
top 17.43%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
10
Postgresql PostgresqlPostgresql Global Development Group PostgresqlCanonical Ubuntu Linux+7 more
Timeline
PublishedAug 9
Latest updateMay 13

Description

A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq was used with "host" or "hostaddr" connection parameters from untrusted input, attackers could bypass client-side connection security features, obtain access to higher privileged connections or potentially cause other impact through SQL injection, by causing the PQescape() functions to malfunction. Postgresql versio

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 1.8 | Impact: 6.0

Affected Packages13 packages

NVDpostgresql/postgresql9.3.09.3.24+4
Alpinepostgresql< 10.5-r0+9
Alpinepostgresql14< 10.5-r0+3
Alpinepostgresql15< 10.5-r0+3
Ubuntupostgresql-10< 10.5-0ubuntu0.18.04

Also affects: Debian Linux 8.0, 9.0, Ubuntu Linux 14.04, 16.04, 18.04, Enterprise Linux 7.5

Patches

Patch: bugzilla.redhat.comPatch: bugzilla.redhat.com

🔴Vulnerability Details

4
GHSA
GHSA-q7vw-gjh3-qf97: A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections2022-05-13
OSV
postgresql-10, postgresql-9.3, postgresql-9.5 vulnerabilities2018-08-16
CVEList
CVE-2018-10915: A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections2018-08-09
OSV
CVE-2018-10915: A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections2018-08-09

📋Vendor Advisories

2
Ubuntu
PostgreSQL vulnerabilities2018-08-16
Red Hat
postgresql: Certain host connection parameters defeat client-side security defenses2018-08-09

💬Community

4
Bugzilla
CVE-2018-10915 postgresql: Certain host connection parameters defeat client-side security defenses [fedora-all]2018-08-09
Bugzilla
CVE-2018-10915 mingw-postgresql: postgresql: Certain host connection parameters defeat client-side security defenses [epel-7]2018-08-09
Bugzilla
CVE-2018-10915 mingw-postgresql: postgresql: Certain host connection parameters defeat client-side security defenses [fedora-all]2018-08-09
Bugzilla
CVE-2018-10915 postgresql: Certain host connection parameters defeat client-side security defenses2018-07-30
CVE-2018-10915 (HIGH CVSS 7.5) | A vulnerability was found in libpq | cvebase.io