vulnerability

FreeBSD: VID-065890C3-725E-11E9-B0E1-6CC21735F730 (CVE-2019-10130): PostgreSQL -- Selectivity estimators bypass row security policies

Severity
4
CVSS
(AV:N/AC:L/Au:S/C:P/I:N/A:N)
Published
May 9, 2019
Added
May 11, 2019
Modified
Aug 8, 2019

Description

Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below.


From VID-065890C3-725E-11E9-B0E1-6CC21735F730:




The PostgreSQL project reports:




PostgreSQL maintains statistics for tables by sampling


data available in columns; this data is consulted during


the query planning process. Prior to this release, a user


able to execute SQL queries with permissions to read a


given column could craft a leaky operator that could


read whatever data had been sampled from that column.


If this happened to include values from rows that the user


is forbidden to see by a row security policy, the user


could effectively bypass the policy. This is fixed by only


allowing a non-leakproof operator to use this data if


there are no relevant row security policies for the table.





Solution(s)

freebsd-upgrade-package-postgresql10-serverfreebsd-upgrade-package-postgresql11-serverfreebsd-upgrade-package-postgresql95-serverfreebsd-upgrade-package-postgresql96-server
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.