CVE-2019-10208
postgresql-11 - security update
8.8
HIGH
CVSS 3.1
EPSS 0.20%
Description
A flaw was discovered in postgresql versions 9.4.x before 9.4.24, 9.5.x before 9.5.19, 9.6.x before 9.6.15, 10.x before 10.10 and 11.x before 11.5 where arbitrary SQL statements can be executed given a suitable SECURITY DEFINER function. An attacker, with EXECUTE permission on the function, can execute arbitrary SQL as the owner of the function.
How to fix CVE-2019-10208
To remediate CVE-2019-10208, upgrade the affected package to a fixed version below.
- —upgrade to 11.5-r0 or later
- —upgrade to 11.5-r0 or later
- —upgrade to 11.5-r0 or later
- —upgrade to 11.5-1+deb10u1 or later
- —upgrade to 9.4.24-0+deb8u1 or later
- —upgrade to 9.6.15-0+deb9u1 or later
Is CVE-2019-10208 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (6)
- from 0, < 11.5-r0
- from 0, < 11.5-r0
- from 0, < 11.5-r0
- from 0, < 11.5-1+deb10u1
- from 0, < 9.4.24-0+deb8u1
- from 0, < 9.6.15-0+deb9u1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |