CVE-2019-10130Improper Access Control in Postgresql

CWE-284Improper Access ControlCWE-1230Exposure of Sensitive Information Through Metadata11 documents7 sources
Severity
4.3MEDIUMNVD
OSV6.5
EPSS
0.2%
top 58.18%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
PostgresqlPostgresql Project PostgresqlOpensuse Leap
Timeline
PublishedJul 30
Latest updateAug 14

Description

A vulnerability was found in PostgreSQL versions 11.x up to excluding 11.3, 10.x up to excluding 10.8, 9.6.x up to, excluding 9.6.13, 9.5.x up to, excluding 9.5.17. PostgreSQL maintains column statistics for tables. Certain statistics, such as histograms and lists of most common values, contain values taken from the column. PostgreSQL does not evaluate row security policies before consulting those statistics during query planning; an attacker can exploit this to read the most common values of ce

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages4 packages

NVDpostgresql/postgresql9.5.09.5.17+3
Alpinepostgresql/postgresql< 11.3-r0+8
CVEListV5postgresql_project/postgresql4 versions+3
NVDopensuse/leap15.1

🔴Vulnerability Details

4
GHSA
GHSA-5rxr-v694-cxfj: A vulnerability was found in PostgreSQL versions 112022-05-24
OSV
CVE-2019-10130: A vulnerability was found in PostgreSQL versions 112019-07-30
CVEList
CVE-2019-10130: A vulnerability was found in PostgreSQL versions 112019-07-30
OSV
postgresql-10, postgresql-11, postgresql-9.5 vulnerabilities2019-05-13

📋Vendor Advisories

3
Red Hat
postgresql: PostgreSQL optimizer statistics can expose sampled data within a view, partition, or child table2025-08-14
Ubuntu
PostgreSQL vulnerabilities2019-05-13
Red Hat
postgresql: Selectivity estimators bypass row security policies2019-05-09

💬Community

3
Bugzilla
CVE-2019-10130 mingw-postgresql: postgresql: Selectivity estimators bypass row security policies [fedora-all]2019-05-13
Bugzilla
CVE-2019-10130 postgresql: Selectivity estimators bypass row security policies [fedora-all]2019-05-13
Bugzilla
CVE-2019-10130 postgresql: Selectivity estimators bypass row security policies2019-05-06
CVE-2019-10130 — Improper Access Control in Postgresql | cvebase