PostgreSQL pg_upgrade and pg_dump Utilities SQL Injection Vulnerability

By GIXnews

A vulnerability in PostgreSQL could allow an authenticated, remote attacker to conduct an SQL injection attack on a targeted system.

The vulnerability is due to improper validation of statements involving CREATE TRIGGER REFERENCING by the affected software. An attacker with superuser and CREATE privileges could use a crafted trigger definition to exploit this vulnerability when running the pg_upgrade utility on the database or during a pg_dump utility dump/restore cycle on a targeted system. A successful exploit could allow the attacker to perform an SQL injection attack, which could be used to conduct further attacks.

PostgreSQL has confirmed the vulnerability and released software updates.

Security Impact Rating: Medium

CVE: CVE-2018-16850

Source:: Cisco Multivendor Vulnerability Alerts