High severity8.1NVD Advisory· Published Aug 9, 2018· Updated Jun 17, 2026
CVE-2018-10925
CVE-2018-10925
Description
It was discovered that PostgreSQL versions before 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 failed to properly check authorization on certain statements involved with "INSERT ... ON CONFLICT DO UPDATE". An attacker with "CREATE TABLE" privileges could exploit this to read arbitrary bytes server memory. If the attacker also had certain "INSERT" and limited "UPDATE" privileges to a particular table, they could exploit this to update other columns in the same table.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
31<10.5+ 1 more
- (no CPE)range: <10.5
- (no CPE)range: 10.5
- osv-coords29 versionspkg:rpm/opensuse/postgresql10&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/postgresql10&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/postgresql11&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/postgresql12&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/postgresql96&distro=openSUSE%20Leap%2015.1pkg:rpm/opensuse/postgresql&distro=openSUSE%20Leap%2015.1pkg:rpm/suse/postgresql10&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015pkg:rpm/suse/postgresql10&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015pkg:rpm/suse/postgresql96&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/postgresql96&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3pkg:rpm/suse/postgresql96&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1-LTSSpkg:rpm/suse/postgresql96&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/postgresql96&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/postgresql96&distro=SUSE%20Linux%20Enterprise%20Server%2012-LTSSpkg:rpm/suse/postgresql96&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/postgresql96&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/postgresql96&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/postgresql96&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/postgresql96-libs&distro=SUSE%20Enterprise%20Storage%204pkg:rpm/suse/postgresql96-libs&distro=SUSE%20Linux%20Enterprise%20Desktop%2012%20SP3pkg:rpm/suse/postgresql96-libs&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP1-LTSSpkg:rpm/suse/postgresql96-libs&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/postgresql96-libs&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3pkg:rpm/suse/postgresql96-libs&distro=SUSE%20Linux%20Enterprise%20Server%2012-LTSSpkg:rpm/suse/postgresql96-libs&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP1pkg:rpm/suse/postgresql96-libs&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/postgresql96-libs&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/postgresql96-libs&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP3pkg:rpm/suse/postgresql96-libs&distro=SUSE%20OpenStack%20Cloud%207
< 10.13-lp151.2.14.1+ 28 more
- (no CPE)range: < 10.13-lp151.2.14.1
- (no CPE)range: < 10.18-1.3
- (no CPE)range: < 11.13-1.3
- (no CPE)range: < 12.3-lp151.2.1
- (no CPE)range: < 9.6.19-lp151.3.3.1
- (no CPE)range: < 12.0.1-lp151.6.9.1
- (no CPE)range: < 10.5-4.5.1
- (no CPE)range: < 10.5-4.5.1
- (no CPE)range: < 9.6.10-3.22.7
- (no CPE)range: < 9.6.10-3.22.7
- (no CPE)range: < 9.6.10-3.22.7
- (no CPE)range: < 9.6.10-3.22.7
- (no CPE)range: < 9.6.10-3.22.7
- (no CPE)range: < 9.6.10-3.22.7
- (no CPE)range: < 9.6.10-3.22.7
- (no CPE)range: < 9.6.10-3.22.7
- (no CPE)range: < 9.6.10-3.22.7
- (no CPE)range: < 9.6.10-3.22.7
- (no CPE)range: < 9.6.10-3.22.1
- (no CPE)range: < 9.6.10-3.22.1
- (no CPE)range: < 9.6.10-3.22.1
- (no CPE)range: < 9.6.10-3.22.1
- (no CPE)range: < 9.6.10-3.22.1
- (no CPE)range: < 9.6.10-3.22.1
- (no CPE)range: < 9.6.10-3.22.1
- (no CPE)range: < 9.6.10-3.22.1
- (no CPE)range: < 9.6.10-3.22.1
- (no CPE)range: < 9.6.10-3.22.1
- (no CPE)range: < 9.6.10-3.22.1
Patches
Vulnerability mechanics
References
12- bugzilla.redhat.com/show_bug.cginvdIssue TrackingPatchThird Party Advisory
- lists.opensuse.org/opensuse-security-announce/2020-08/msg00043.htmlnvdMailing ListThird Party Advisory
- www.securityfocus.com/bid/105052nvdThird Party AdvisoryVDB Entry
- www.securitytracker.com/id/1041446nvdThird Party AdvisoryVDB Entry
- access.redhat.com/errata/RHSA-2018:2511nvdThird Party Advisory
- access.redhat.com/errata/RHSA-2018:2565nvdThird Party Advisory
- access.redhat.com/errata/RHSA-2018:2566nvdThird Party Advisory
- access.redhat.com/errata/RHSA-2018:3816nvdThird Party Advisory
- security.gentoo.org/glsa/201810-08nvdThird Party Advisory
- usn.ubuntu.com/3744-1/nvdThird Party Advisory
- www.debian.org/security/2018/dsa-4269nvdThird Party Advisory
- www.postgresql.org/about/news/1878/nvdVendor Advisory
News mentions
0No linked articles in our index yet.