Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

None

Privileges Required

Low

Attack Vector

Network

0

CVE-2018-10915

Disclosure Date: August 09, 2018 •

CVE-2018-10915 CVSS v3 Base Score: 7.5

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq was used with “host” or “hostaddr” connection parameters from untrusted input, attackers could bypass client-side connection security features, obtain access to higher privileged connections or potentially cause other impact through SQL injection, by causing the PQescape() functions to malfunction. Postgresql versions before 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 are affected.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

7.5 High

Impact Score:

5.9

Exploitability Score:

1.6

Vector:

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector (AV):

Network

Attack Complexity (AC):

High

Privileges Required (PR):

Low

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

High

Integrity (I):

High

Availability (A):

High

Vendors

canonical,
debian,
postgresql,
redhat

Products

debian linux 8.0,
debian linux 9.0,
enterprise linux desktop 7.0,
enterprise linux server 7.0,
enterprise linux server eus 7.5,
enterprise linux workstation 7.0,
openstack 12,
openstack 13,
postgresql,
ubuntu linux 14.04,
ubuntu linux 16.04,
ubuntu linux 18.04,
virtualization 4.0

References

Canonical

CVE-2018-10915 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10915)

BID-105054 (http://www.securityfocus.com/bid/105054)

Advisory

GLSA-201810-08 (https://security.gentoo.org/glsa/201810-08)

https://access.redhat.com/errata/RHSA-2018:2729

DSA-4269 (https://www.debian.org/security/2018/dsa-4269)

https://access.redhat.com/errata/RHSA-2018:2643

https://access.redhat.com/errata/RHSA-2018:2721

https://access.redhat.com/errata/RHSA-2018:2511

USN-3744-1 (https://usn.ubuntu.com/3744-1)

[debian-lts-announce] 20180815 [SECURITY] [DLA 1464-1] postgresql-9.4 security update (https://lists.debian.org/debian-lts-announce/2018/08/msg00012.html)

https://access.redhat.com/errata/RHSA-2018:2566

https://access.redhat.com/errata/RHSA-2018:2565

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10915

https://access.redhat.com/errata/RHSA-2018:3816

https://www.postgresql.org/about/news/1878

https://access.redhat.com/errata/RHSA-2018:2557

SECTRACK-1041446 (http://www.securitytracker.com/id/1041446)

http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00043.html

Rapid7

Technical Analysis