Vulnerability Details : CVE-2019-10164
PostgreSQL versions 10.x before 10.9 and versions 11.x before 11.4 are vulnerable to a stack-based buffer overflow. Any authenticated user can overflow a stack-based buffer by changing the user's own password to a purpose-crafted value. This often suffices to execute arbitrary code as the PostgreSQL operating system account.
Vulnerability category: OverflowMemory CorruptionExecute code
Products affected by CVE-2019-10164
- cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
- cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
Threat overview for CVE-2019-10164
Top countries where our scanners detected CVE-2019-10164
Top open port discovered on systems with this issue
5432
IPs affected by CVE-2019-10164 127,767
Threat actors abusing to this issue?
Yes
Find out if you* are
affected by CVE-2019-10164!
*Directly or indirectly through your vendors, service providers and 3rd parties.
Powered by
attack surface intelligence
from SecurityScorecard.
Exploit prediction scoring system (EPSS) score for CVE-2019-10164
5.01%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 89 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-10164
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
9.0
|
HIGH | AV:N/AC:L/Au:S/C:C/I:C/A:C |
8.0
|
10.0
|
NIST | |
|
7.5
|
HIGH | CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.6
|
5.9
|
Red Hat, Inc. | |
|
8.8
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
2.8
|
5.9
|
NIST |
CWE ids for CVE-2019-10164
-
A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).Assigned by: secalert@redhat.com (Secondary)
-
The product writes data past the end, or before the beginning, of the intended buffer.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-10164
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MAGE6H4FWLKFLHLWVYNPYGQRPIXTUWGB/
[SECURITY] Fedora 30 Update: postgresql-11.4-1.fc30 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00035.html
[security-announce] openSUSE-SU-2019:1773-1: moderate: Security update fMailing List;Third Party Advisory
-
https://security.gentoo.org/glsa/202003-03
PostgreSQL: Multiple vulnerabilities (GLSA 202003-03) — Gentoo securityThird Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10164
1719698 – (CVE-2019-10164) CVE-2019-10164 PostgreSQL: stack-based buffer overflow via setting a passwordIssue Tracking;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TTKEHXGDXYYD6WYDIIQJP4GDQJSENDJK/
[SECURITY] Fedora 29 Update: postgresql-10.9-1.fc29 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://www.postgresql.org/about/news/1949/
PostgreSQL: PostgreSQL 11.4, 10.9, 9.6.14, 9.5.18, 9.4.23, and 12 Beta 2 Released!Vendor Advisory
Jump to