Vulnerability Name:

CVE-2019-10209 (CCN-165073)

Assigned:2019-08-08
Published:2019-08-08
Updated:2020-10-01
Summary:Postgresql, versions 11.x before 11.5, is vulnerable to a memory disclosure in cross-type comparison for hashed subplan.
CVSS v3 Severity:2.2 Low (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N)
2.0 Low (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): High
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
4.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
3.8 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:3.5 Low (CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-125
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2019-10209

Source: CONFIRM
Type: Issue Tracking, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10209

Source: XF
Type: UNKNOWN
postgresql-cve201910209-info-disc(165073)

Source: CCN
Type: IBM Security Bulletin 6188529 (Robotic Process Automation with Automation Anywhere)
PostgreSQL vulnerabilities in IBM Robotic Process Automation with Automation Anywhere (CVE-2019-10209, 10211, 10210, 10208)

Source: CCN
Type: PostgreSQL Web site
PostgreSQL 11.5, 10.10, 9.6.15, 9.5.19, 9.4.24, and 12 Beta 3 Released!

Source: CONFIRM
Type: Vendor Advisory
https://www.postgresql.org/about/news/1960/

Vulnerable Configuration:Configuration 1:
  • cpe:/a:postgresql:postgresql:*:*:*:*:*:*:*:* (Version >= 11.0 and < 11.5)

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:113158
    P
    		postgresql11-11.13-1.3 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:106584
    P
    		postgresql11-11.13-1.3 on GA media (Moderate)
    2021-10-01
    oval:com.ubuntu.disco:def:2019102090000000
    V
    		CVE-2019-10209 on Ubuntu 19.04 (disco) - low.
    2019-10-29
    BACK
    postgresql postgresql *