CVE-2018-1058: Input Validation

Published Feb 20, 2018
·
Updated

A flaw was found in the way Postgresql allowed a user to modify the behavior of a query for other users. An attacker with a user account could use this flaw to execute code with the permissions of superuser in the database.

Other sources

From upstream advisory:

Supported, Vulnerable Versions: 9.3 - 10. The security team typically does not test unsupported versions, but this problem is quite old.

The PostgreSQL searchpath setting determines schemas searched for tables, functions, operators, etc. The pgdump client application chooses searchpath settings such that every schema may appear at the front of its search path. This permits a user with CREATE privilege on any schema to execute arbitrary SQL functions under the identity of the user running pgdump, often a superuser. This is exploitable in the default configuration, where all users have CREATE privilege on schema "public". The pgupgrade implementation invokes pgdump under a superuser identity, and its usage is vulnerable.

Other client applications, such as vacuumdb, leave searchpath unchanged. In the default configuration, users can create objects in the "public" schema and harness them to execute arbitrary SQL functions under the identity of the user running these programs. The PostgreSQL project estimates this class of vulnerability is pervasive in applications that query PostgreSQL databases, so we are issuing guidance for database administrators and application authors to secure their own work. In brief, one can issue "REVOKE CREATE ON SCHEMA public FROM PUBLIC" to prevent these attacks.

Red Hat

Postgresql could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a flaw in the searchpath setting. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code with the permissions of superuser in the database.

IBM

Affected Software

28 affected componentsFixes available
redhat/cfme<0:5.9.6.5-3.el7cf
0:5.9.6.5-3.el7cf
redhat/cfme-amazon-smartstate<0:5.9.6.5-2.el7cf
0:5.9.6.5-2.el7cf
redhat/cfme-appliance<0:5.9.6.5-1.el7cf
0:5.9.6.5-1.el7cf
redhat/cfme-gemset<0:5.9.6.5-2.el7cf
0:5.9.6.5-2.el7cf
redhat/dbus-api-service<0:1.0.1-3.1.el7cf
0:1.0.1-3.1.el7cf
redhat/httpd-configmap-generator<0:0.2.2-1.2.el7cf
0:0.2.2-1.2.el7cf
redhat/postgresql96<0:9.6.10-1PGDG.el7a
0:9.6.10-1PGDG.el7a
redhat/rh-postgresql95-postgresql<0:9.5.14-1.el6
0:9.5.14-1.el6
redhat/rh-postgresql96-postgresql<0:9.6.10-1.el6
0:9.6.10-1.el6
redhat/rh-postgresql95-postgresql<0:9.5.14-1.el7
0:9.5.14-1.el7
redhat/rh-postgresql96-postgresql<0:9.6.10-1.el7
0:9.6.10-1.el7
redhat/postgresql<10.3
10.3
redhat/postgresql<9.6.8
9.6.8
redhat/postgresql<9.5.12
9.5.12
redhat/postgresql<9.4.17
9.4.17
redhat/postgresql<9.3.22
9.3.22
debian/postgresql-10
debian/postgresql-9.1
PostgreSQL postgresql>=9.3<9.3.22
PostgreSQL postgresql>=9.4<9.4.17
PostgreSQL postgresql>=9.5<9.5.12
PostgreSQL postgresql>=9.6<9.6.8
PostgreSQL postgresql>=10.0<10.3
Canonical Ubuntu Linux=14.04
Canonical Ubuntu Linux=16.04
Canonical Ubuntu Linux=17.10
redhat Cloudforms=4.6
IBM Security Verify Governance<=10.0

Remediation

Information

Upstream suggests the following mitigation can be used to protect against this security flaw: https://wiki.postgresql.org/wiki/A_Guide_to_CVE-2018-1058:_Protect_Your_Search_Path

Event History

Mar 1, 2018
CVE Published
12:00 AM
Mar 2, 2018
CVE Published
via MITRE·03:00 PM
Data Sourced
via MITRE·03:00 PM
DescriptionWeakness
Data Sourced
via NVD·03:29 PM
DescriptionSeverityWeaknessAffected Software
Aug 5, 2024
Data Sourced
via Launchpad·03:54 AM
Description
Feb 20, 2026
Data Sourced
via Ubuntu·06:38 PM
RemedyDescriptionSeverityAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is CVE-2018-1058?

CVE-2018-1058 is a vulnerability in Postgresql that could allow a remote attacker to execute arbitrary code on the system.

2

How does CVE-2018-1058 affect Postgresql?

CVE-2018-1058 affects Postgresql by allowing a remote authenticated attacker to modify the behavior of a query for other users, potentially executing arbitrary code with superuser permissions.

3

What is the severity of CVE-2018-1058?

The severity of CVE-2018-1058 is rated as high, with a CVSS score of 8.8 out of 10.

4

Which versions of Postgresql are affected by CVE-2018-1058?

Postgresql versions 10.3, 9.6.8, 9.5.12, 9.4.17, and 9.3.22 are affected by CVE-2018-1058.

5

How can I fix the CVE-2018-1058 vulnerability?

To fix the CVE-2018-1058 vulnerability, update Postgresql to version 10.3 or apply the necessary patches provided by the vendor.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203