CVE-2019-10208

Summary

A flaw was discovered in postgresql versions 9.4.x before 9.4.24, 9.5.x before 9.5.19, 9.6.x before 9.6.15, 10.x before 10.10 and 11.x before 11.5 where arbitrary SQL statements can be executed given a suitable SECURITY DEFINER function. An attacker, with EXECUTE permission on the function, can execute arbitrary SQL as the owner of the function.

Affected Software

VendorProductVersion RangeStatus
PostgreSQLpostgresqlall 11.x before 11.5affected
PostgreSQLpostgresqlall 10.x before 10.10affected
PostgreSQLpostgresqlall 9.6.x before 9.6.15affected
PostgreSQLpostgresqlall 9.5.x before 9.5.19affected
PostgreSQLpostgresqlall 9.4.x before 9.4.24affected

Weaknesses

  • CWE-89: CWE-89

ADP Enrichment

CVE Program Container

Additional References

References