postgresql: Multiple vulnerabilities (CVE-2019-10208, CVE-2019-10209)ID: oval:org.secpod.oval:def:1802026 | Date: (C)2022-03-25 (M)2022-10-10 |
Class: PATCH | Family: unix |
Given a suitable SECURITY DEFINER function, an attacker can execute arbitrary SQL under the identity of the function owner. An attack requires EXECUTE permission on the function, which must itself contain a function call having inexact argument type match. For example, length('foo'::varchar) and length('foo') are inexact, while length('foo'::text) is exact. As part of exploiting this vulnerability, the attacker uses CREATE DOMAIN to create a type in a pg_temp schema. The attack pattern and fix are similar to that for CVE-2007-2138.
Platform: |
Alpine Linux 3.10 |
Alpine Linux 3.11 |
Alpine Linux 3.12 |
Alpine Linux 3.13 |
Alpine Linux 3.14 |
Alpine Linux 3.15 |
Alpine Linux 3.7 |
Alpine Linux 3.8 |
Alpine Linux 3.9 |