CVE-2019-10128

A vulnerability was found in postgresql versions 11.x prior to 11.3. The Windows installer for EnterpriseDB-supplied PostgreSQL does not lock down the ACL of the binary installation directory or the ACL of the data directory; it keeps the inherited ACL. In the default configuration, this allows a local attacker to read arbitrary data directory files, essentially bypassing database-imposed read access limitations. In plausible non-default configurations, an attacker having both an unprivileged Windows account and an unprivileged PostgreSQL account can cause the PostgreSQL service account to execute arbitrary code.
References
Link Resource
https://bugzilla.redhat.com/show_bug.cgi?id=1707102 Issue Tracking Third Party Advisory
https://security.netapp.com/advisory/ntap-20210430-0004/ Third Party Advisory
https://www.postgresql.org/about/news/1939/ Exploit Release Notes Vendor Advisory
Configurations

Configuration 1 (hide)

AND
OR cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

History

01 Jan 2022, 18:03

Type Values Removed Values Added
References (CONFIRM) https://security.netapp.com/advisory/ntap-20210430-0004/ - (CONFIRM) https://security.netapp.com/advisory/ntap-20210430-0004/ - Third Party Advisory

30 Apr 2021, 08:15

Type Values Removed Values Added
References
  • (CONFIRM) https://security.netapp.com/advisory/ntap-20210430-0004/ -

25 Mar 2021, 18:48

Type Values Removed Values Added
CVSS v2 : 4.4
v3 : 7.0
v2 : 4.1
v3 : 7.8

25 Mar 2021, 17:43

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : 4.4
v3 : 7.0
References (MISC) https://www.postgresql.org/about/news/1939/ - (MISC) https://www.postgresql.org/about/news/1939/ - Exploit, Release Notes, Vendor Advisory
References (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=1707102 - (MISC) https://bugzilla.redhat.com/show_bug.cgi?id=1707102 - Issue Tracking, Third Party Advisory
CPE cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*

19 Mar 2021, 20:21

Type Values Removed Values Added
New CVE

Information

Published : 2021-03-19 20:15

Updated : 2023-12-10 13:41


NVD link : CVE-2019-10128

Mitre link : CVE-2019-10128

CVE.ORG link : CVE-2019-10128


JSON object : View

Products Affected

microsoft

  • windows

postgresql

  • postgresql
CWE
CWE-284

Improper Access Control