Platform
postgresql
Component
postgresql
Fixed in
11.0.1
10.0.1
9.6.1
9.5.1
CVE-2019-10130 is an information disclosure vulnerability affecting PostgreSQL versions 11.x (prior to 11.3), 10.x (prior to 10.8), and 9.x (prior to 9.6.13 and 9.5.17). This flaw allows attackers to potentially read sensitive data stored within column statistics used during query planning. The vulnerability stems from PostgreSQL's failure to evaluate row security policies before accessing these statistics. A fix is available in PostgreSQL 11.3 and later.
This vulnerability allows an attacker with SELECT privileges on a table to potentially extract sensitive data from column statistics. PostgreSQL maintains statistics about columns, including histograms and lists of common values, which are used to optimize query execution. The flaw lies in the fact that PostgreSQL doesn't enforce row-level security policies when accessing these statistics during query planning. Consequently, an attacker can craft queries that indirectly reveal the most frequent values within specific columns, even if they shouldn't have direct access to the underlying data. The potential impact ranges from exposure of personally identifiable information (PII) to sensitive business data, depending on the nature of the data stored in the affected columns. While the CVSS score is LOW, the potential for data leakage makes this a significant concern, particularly in environments with strict data privacy regulations.
CVE-2019-10130 was publicly disclosed on July 30, 2019. There is no indication of this vulnerability being actively exploited in the wild. Public proof-of-concept (PoC) code is available, demonstrating the feasibility of exploitation. It is not listed on the CISA KEV catalog. The vulnerability's low CVSS score suggests a relatively low probability of exploitation, but the availability of PoC code warrants attention and remediation.
Exploit Status
EPSS
0.20% (42% percentile)
CVSS Vector
The primary mitigation for CVE-2019-10130 is to upgrade to PostgreSQL version 11.3 or later, which includes the fix. If an immediate upgrade is not feasible, consider implementing row-level security policies to restrict access to sensitive columns. While not a direct fix, this can limit the attacker's ability to exploit the vulnerability. Additionally, review and restrict SELECT privileges on tables to minimize the potential attack surface. Monitor PostgreSQL logs for unusual query patterns that might indicate exploitation attempts. After upgrading, confirm the fix by running a query that previously triggered the information disclosure and verifying that it no longer reveals sensitive data.
Update PostgreSQL to the latest available version. Versions 9.5.17, 9.6.13, 10.8, and 11.3 fix this vulnerability. The update will resolve the security issue.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2019-10130 is a vulnerability in PostgreSQL that allows attackers to read sensitive column values via query planning statistics. It affects versions ≤11.x (excluding 11.3), 10.x (excluding 10.8), and 9.x (excluding 9.6.13 and 9.5.17).
You are affected if you are running PostgreSQL versions 9.5, 9.6, 10, or 11 prior to the respective fixed versions (9.5.17, 9.6.13, 10.8, and 11.3).
Upgrade to PostgreSQL version 11.3 or later to resolve this vulnerability. If an immediate upgrade is not possible, implement row-level security policies.
There is no current evidence of active exploitation in the wild, although public proof-of-concept code exists.
Refer to the PostgreSQL security advisory at https://www.postgresql.org/announcements/security.php
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.