vulnerability

FreeBSD: VID-065890C3-725E-11E9-B0E1-6CC21735F730 (CVE-2019-10130): PostgreSQL -- Selectivity estimators bypass row security policies

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
4	(AV:N/AC:L/Au:S/C:P/I:N/A:N)	May 9, 2019	May 11, 2019	Aug 8, 2019

Severity

CVSS

(AV:N/AC:L/Au:S/C:P/I:N/A:N)

Published

May 9, 2019

Added

May 11, 2019

Modified

Aug 8, 2019

Description

Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below.

From VID-065890C3-725E-11E9-B0E1-6CC21735F730:

The PostgreSQL project reports:

PostgreSQL maintains statistics for tables by sampling

data available in columns; this data is consulted during

the query planning process. Prior to this release, a user

able to execute SQL queries with permissions to read a

given column could craft a leaky operator that could

read whatever data had been sampled from that column.

If this happened to include values from rows that the user

is forbidden to see by a row security policy, the user

could effectively bypass the policy. This is fixed by only

allowing a non-leakproof operator to use this data if

there are no relevant row security policies for the table.

Solution(s)

freebsd-upgrade-package-postgresql10-serverfreebsd-upgrade-package-postgresql11-serverfreebsd-upgrade-package-postgresql95-serverfreebsd-upgrade-package-postgresql96-server

References

NVD-CVE-2019-10130

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today