CVE-2018-10915 — HIGH (8.5)

Q: How severe is CVE-2018-10915?

CVE-2018-10915 has been rated HIGH with a CVSS base score of 8.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-10915?

Check the references section above for vendor advisories and patch information. Affected products include: Redhat Openstack, Redhat Virtualization, Redhat Enterprise Linux Desktop, Redhat Enterprise Linux Server, Redhat Enterprise Linux Server Eus.

Vulnerability Description

A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq was used with "host" or "hostaddr" connection parameters from untrusted input, attackers could bypass client-side connection security features, obtain access to higher privileged connections or potentially cause other impact through SQL injection, by causing the PQescape() functions to malfunction. Postgresql versions before 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 are affected.

CVSS Score

8.5

HIGH

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Redhat	Openstack	12
Redhat	Virtualization	4.0
Redhat	Enterprise Linux Desktop	7.0
Redhat	Enterprise Linux Server	7.0
Redhat	Enterprise Linux Server Eus	7.5
Redhat	Enterprise Linux Workstation	7.0
Canonical	Ubuntu Linux	14.04
Debian	Debian Linux	8.0
Postgresql	Postgresql	>= 9.3.0, < 9.3.24

Related Weaknesses (CWE)

CWE-665 CWE-89 CWE-200

References

http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00043.html
http://www.securityfocus.com/bid/105054Third Party AdvisoryVDB Entry
http://www.securitytracker.com/id/1041446Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2018:2511Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2557Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2565Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2566Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2643Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2721Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:2729Third Party Advisory
https://access.redhat.com/errata/RHSA-2018:3816
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10915Issue TrackingPatchThird Party Advisory
https://lists.debian.org/debian-lts-announce/2018/08/msg00012.htmlThird Party Advisory
https://security.gentoo.org/glsa/201810-08
https://usn.ubuntu.com/3744-1/Third Party Advisory

FAQ

What is CVE-2018-10915?

CVE-2018-10915 is a vulnerability with a CVSS score of 8.5 (HIGH). A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq was used with "ho...

How severe is CVE-2018-10915?

CVE-2018-10915 has been rated HIGH with a CVSS base score of 8.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-10915?

Check the references section above for vendor advisories and patch information. Affected products include: Redhat Openstack, Redhat Virtualization, Redhat Enterprise Linux Desktop, Redhat Enterprise Linux Server, Redhat Enterprise Linux Server Eus.