postgresql before versions 11.1, 10.6 is vulnerable to a to SQL injection in pg_upgrade and pg_dump via CREATE TRIGGER ... REFERENCING. Using a purpose-crafted trigger definition, an attacker can cause arbitrary SQL statements to run, with superuser privileges.
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
| Link | Tags |
|---|---|
| https://usn.ubuntu.com/3818-1/ | third party advisory vendor advisory |
| https://access.redhat.com/errata/RHSA-2018:3757 | third party advisory vendor advisory |
| https://www.postgresql.org/about/news/1905/ | release notes vendor advisory |
| http://www.securitytracker.com/id/1042144 | third party advisory vdb entry |
| https://security.gentoo.org/glsa/201811-24 | vendor advisory mitigation third party advisory |
| http://www.securityfocus.com/bid/105923 | third party advisory vdb entry |
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16850 | patch third party advisory issue tracking |