CVE-2018-1058

high-risk
Published 2018-03-02

A flaw was found in the way Postgresql allowed a user to modify the behavior of a query for other users. An attacker with a user account could use this flaw to execute code with the permissions of superuser in the database. Versions 9.3 through 10 are affected.

Do I need to act?

!
82.7% chance of exploitation in next 30 days
EPSS score — higher than 17% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10 High
NETWORK / LOW complexity

Affected Products (5)

Affected Vendors

Redhat Postgresql Canonical

References (14)

Third Party Advisory http://www.securityfocus.com/bid/103221
Third Party Advisory https://access.redhat.com/errata/RHSA-2018:2511
Third Party Advisory https://access.redhat.com/errata/RHSA-2018:2566
Third Party Advisory https://access.redhat.com/errata/RHSA-2018:3816
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1547044
Third Party Advisory https://usn.ubuntu.com/3589-1/
Vendor Advisory https://www.postgresql.org/about/news/1834/
Third Party Advisory http://www.securityfocus.com/bid/103221
Third Party Advisory https://access.redhat.com/errata/RHSA-2018:2511
Third Party Advisory https://access.redhat.com/errata/RHSA-2018:2566
Third Party Advisory https://access.redhat.com/errata/RHSA-2018:3816
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1547044
Third Party Advisory https://usn.ubuntu.com/3589-1/
Vendor Advisory https://www.postgresql.org/about/news/1834/
62
/ 100
high-risk
Severity 30/34 · Critical
Exploitability 20/34 · Moderate
Exposure 12/34 · Low