CVE-2018-10915: A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an…

high7.5CVSS 3.0

AVNACHPRLUINSUCHIHAH

A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq was used with "host" or "hostaddr" connection parameters from untrusted input, attackers could bypass client-side connection security features, obtain access to higher privileged connections or potentially cause other impact through SQL injection, by causing the PQescape() functions to malfunction. Postgresql versions before 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 are affected.

Affected

32 ranges· showing 25

Vendor	Product	Version range	Fixed in
canonical	ubuntu_linux	—	—
canonical	ubuntu_linux	—	—
canonical	ubuntu_linux	—	—
debian	debian_linux	—	—
debian	debian_linux	—	—
postgresql	postgresql	>= 0 < 10.5-r0	10.5-r0
postgresql	postgresql	>= 0 < 10.5-r0	10.5-r0
postgresql	postgresql	>= 0 < 10.5-r0	10.5-r0
postgresql	postgresql	>= 0 < 10.5-r0	10.5-r0
postgresql	postgresql	>= 0 < 10.5-r0	10.5-r0
postgresql	postgresql	>= 0 < 9.6.10-r0	9.6.10-r0
postgresql	postgresql	>= 0 < 9.6.10-r0	9.6.10-r0
postgresql	postgresql	>= 0 < 10.5-r0	10.5-r0
postgresql	postgresql	>= 0 < 10.5-r0	10.5-r0
postgresql	postgresql	>= 0 < 10.5-r0	10.5-r0
postgresql	postgresql	>= 10.0 < 10.5	10.5
postgresql	postgresql	>= 9.3.0 < 9.3.24	9.3.24
postgresql	postgresql	>= 9.4.0 < 9.4.19	9.4.19
postgresql	postgresql	>= 9.5.0 < 9.5.14	9.5.14
postgresql	postgresql	>= 9.6.0 < 9.6.10	9.6.10
postgresql_global_development_group	postgresql	—	—
postgresql_global_development_group	postgresql	—	—
postgresql_global_development_group	postgresql	—	—
postgresql_global_development_group	postgresql	—	—
postgresql_global_development_group	postgresql	—	—

CVSS provenance

nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

osv7.5HIGH