vulnerability
FreeBSD: VID-1c27a706-e3aa-11e8-b77a-6cc21735f730 (CVE-2018-16850): PostgreSQL -- SQL injection in pg_upgrade and pg_dump
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:N/AC:L/Au:N/C:P/I:P/A:P) | Nov 8, 2018 | Nov 9, 2018 | Dec 10, 2025 |
Severity
7
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
Nov 8, 2018
Added
Nov 9, 2018
Modified
Dec 10, 2025
Description
The PostgreSQL project reports: CVE-2018-16850: SQL injection in pg_upgrade and pg_dump, via CREATE TRIGGER ... REFERENCING. Using a purpose-crafted trigger definition, an attacker can run arbitrary SQL statements with superuser privileges when a superuser runs pg_upgrade on the database or during a pg_dump dump/restore cycle. This attack requires a CREATE privilege on some non-temporary schema or a TRIGGER privilege on a table. This is exploitable in the default PostgreSQL configuration, where all users have CREATE privilege on public schema.
Solutions
freebsd-upgrade-package-postgresql10-serverfreebsd-upgrade-package-postgresql96-serverfreebsd-upgrade-package-postgresql95-serverfreebsd-upgrade-package-postgresql94-serverfreebsd-upgrade-package-postgresql93-server
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.