Vulnerabilities > Postgresql > Medium

DATE CVE VULNERABILITY TITLE RISK
2020-01-27 CVE-2014-8161 Information Exposure Through an Error Message vulnerability in multiple products
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.
network
low complexity
postgresql debian CWE-209
4.0
2019-11-20 CVE-2015-3167 Information Exposure vulnerability in multiple products
contrib/pgcrypto in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 uses different error responses when an incorrect key is used, which makes it easier for attackers to obtain the key via a brute force attack.
network
low complexity
postgresql debian canonical CWE-200
5.0
2019-10-29 CVE-2019-10208 SQL Injection vulnerability in Postgresql
A flaw was discovered in postgresql versions 9.4.x before 9.4.24, 9.5.x before 9.5.19, 9.6.x before 9.6.15, 10.x before 10.10 and 11.x before 11.5 where arbitrary SQL statements can be executed given a suitable SECURITY DEFINER function.
network
low complexity
postgresql CWE-89
6.5
2019-07-30 CVE-2019-10130 Improper Access Control vulnerability in Postgresql
A vulnerability was found in PostgreSQL versions 11.x up to excluding 11.3, 10.x up to excluding 10.8, 9.6.x up to, excluding 9.6.13, 9.5.x up to, excluding 9.5.17.
network
low complexity
postgresql CWE-284
4.0
2019-07-30 CVE-2019-10129 Out-of-bounds Read vulnerability in Postgresql 11.0/11.1/11.2
A vulnerability was found in postgresql versions 11.x prior to 11.3.
network
low complexity
postgresql CWE-125
6.5
2018-08-09 CVE-2018-10915 SQL Injection vulnerability in multiple products
A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections.
6.0
2018-02-09 CVE-2018-1052 Information Exposure vulnerability in Postgresql 10.0/10.1
Memory disclosure vulnerability in table partitioning was found in postgresql 10.x before 10.2, allowing an authenticated attacker to read arbitrary bytes of server memory via purpose-crafted insert to a partitioned table.
network
low complexity
postgresql CWE-200
4.0
2017-11-22 CVE-2017-15099 Information Exposure vulnerability in multiple products
INSERT ...
network
low complexity
postgresql debian CWE-200
4.0
2017-11-22 CVE-2017-15098 Information Exposure vulnerability in multiple products
Invalid json_populate_recordset or jsonb_populate_recordset function calls in PostgreSQL 10.x before 10.1, 9.6.x before 9.6.6, 9.5.x before 9.5.10, 9.4.x before 9.4.15, and 9.3.x before 9.3.20 can crash the server or disclose a few bytes of server memory.
network
low complexity
postgresql debian CWE-200
5.5
2017-11-13 CVE-2017-8806 Link Following vulnerability in Postgresql
The Debian pg_ctlcluster, pg_createcluster, and pg_upgradecluster scripts, as distributed in the Debian postgresql-common package before 181+deb9u1 for PostgreSQL (and other packages related to Debian and Ubuntu), handled symbolic links insecurely, which could result in local denial of service by overwriting arbitrary files.
local
low complexity
postgresql CWE-59
5.5