CVE-2018-16850
postgresql before versions 11.1, 10.6 is vulnerable to a to SQL injection in pg_upgrade and pg_dump via CREATE TRIGGER ... REFERENCING. Using a purpose-crafted trigger definition, an attacker can cause arbitrary SQL statements to run, with superuser privileges.
| Software | From | Fixed in |
|---|---|---|
| postgresql / postgresql | 10.0 | 10.6 |
| postgresql / postgresql | 11.0 | 11.1 |
| redhat / enterprise_linux | 7.4 | 7.4.x |
| redhat / enterprise_linux | 7.0 | 7.0.x |
| redhat / enterprise_linux | 7.5 | 7.5.x |
| redhat / enterprise_linux | 7.6 | 7.6.x |
| canonical / ubuntu_linux | 18.04 | 18.04.x |
| canonical / ubuntu_linux | 18.10 | 18.10.x |
- http://www.securityfocus.com/bid/105923
- http://www.securitytracker.com/id/1042144
- https://access.redhat.com/errata/RHSA-2018:3757
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16850
- https://security.gentoo.org/glsa/201811-24
- https://usn.ubuntu.com/3818-1/
- https://www.postgresql.org/about/news/1905/
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime