Is CVE-2018-10915 being actively exploited?

It is not currently in CISA's KEV catalog. Its EPSS exploitation probability is 5%.

What products does CVE-2018-10915 affect?

Tracked products affected include PostgreSQL. Check the version you run to see whether it is affected.

How do I fix CVE-2018-10915?

Apply the vendor fix promptly. Upgrade affected products to a fixed version.

CVE-2018-10915

Q: What is CVE-2018-10915?

CVE-2018-10915 is a high-severity software vulnerability (SQL injection) with a CVSS score of 8.5. A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq was used with "host" or "hostaddr" connection parameters

HIGH severity · CVSS 8.5 · SQL injection

8.5CVSS HIGH

Summary

A vulnerability was found in libpq, the default PostgreSQL client library where libpq failed to properly reset its internal state between connections. If an affected version of libpq was used with "host" or "hostaddr" connection parameters from untrusted input, attackers could bypass client-side connection security features, obtain access to higher privileged connections or potentially cause other impact through SQL injection, by causing the PQescape() functions to malfunction. Postgresql versions before 10.5, 9.6.10, 9.5.14, 9.4.19, and 9.3.24 are affected.

Impact & exploitability

Attack vectorNetwork

Attack complexityHigh

Privileges requiredLow

User interactionNone

Confidentiality impactHigh

Integrity impactHigh

Availability impactHigh

Exploit probability (EPSS)5%

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

Affected products we track (1)

PostgreSQL

Recommendation

Apply the vendor fix promptly. Open any affected product above for its exact safe version.

CVE-2018-10915

Summary

Impact & exploitability

Affected products we track (1)

Recommendation

Additional information