{"api_version":"1","generated_at":"2026-04-22T23:30:45+00:00","cve":"CVE-2019-10208","urls":{"html":"https://cve.report/CVE-2019-10208","api":"https://cve.report/api/cve/CVE-2019-10208.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2019-10208","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2019-10208"},"summary":{"title":"CVE-2019-10208","description":"A flaw was discovered in postgresql versions 9.4.x before 9.4.24, 9.5.x before 9.5.19, 9.6.x before 9.6.15, 10.x before 10.10 and 11.x before 11.5 where arbitrary SQL statements can be executed given a suitable SECURITY DEFINER function. An attacker, with EXECUTE permission on the function, can execute arbitrary SQL as the owner of the function.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2019-10-29 19:15:00","updated_at":"2020-08-17 19:15:00"},"problem_types":["CWE-89"],"metrics":[],"references":[{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10208","name":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10208","refsource":"CONFIRM","tags":["Issue Tracking","Third Party Advisory"],"title":"1734416 – (CVE-2019-10208) CVE-2019-10208 postgresql: TYPE in pg_temp executes arbitrary SQL during SECURITY DEFINER execution","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00043.html","name":"openSUSE-SU-2020:1227","refsource":"SUSE","tags":[],"title":"[security-announce] openSUSE-SU-2020:1227-1: moderate: Security update f","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.postgresql.org/about/news/1960/","name":"https://www.postgresql.org/about/news/1960/","refsource":"CONFIRM","tags":["Vendor Advisory"],"title":"PostgreSQL: PostgreSQL 11.5, 10.10, 9.6.15, 9.5.19, 9.4.24, and 12 Beta 3 Released!","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2019-10208","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-10208","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2019","cve_id":"10208","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"postgresql","cpe5":"postgresql","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"10208","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"postgresql","cpe5":"postgresql","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2019-10208","qid":"159172","title":"Oracle Enterprise Linux Security Update for postgresql (ELSA-2021-1512)"},{"cve":"CVE-2019-10208","qid":"159270","title":"Oracle Enterprise Linux Security Update for rh-postgresql10-postgresql (ELSA-2021-9290)"},{"cve":"CVE-2019-10208","qid":"239266","title":"Red Hat Update for postgresql (RHSA-2021:1512)"},{"cve":"CVE-2019-10208","qid":"257093","title":"CentOS Security Update for postgresql (CESA-2021:1512)"},{"cve":"CVE-2019-10208","qid":"257095","title":"CentOS Security Update for postgresql (CESA-2021:1512)"},{"cve":"CVE-2019-10208","qid":"352389","title":"Amazon Linux Security Advisory for postgresql: ALAS2-2021-1665"},{"cve":"CVE-2019-10208","qid":"352472","title":"Amazon Linux Security Advisory for postgresql92: ALAS-2021-1519"},{"cve":"CVE-2019-10208","qid":"352821","title":"Amazon Linux Security Advisory for postgresql9: AL2012-2021-345"},{"cve":"CVE-2019-10208","qid":"377029","title":"Alibaba Cloud Linux Security Update for postgresql (ALINUX2-SA-2021:0028)"},{"cve":"CVE-2019-10208","qid":"500537","title":"Alpine Linux Security Update for postgresql"},{"cve":"CVE-2019-10208","qid":"502005","title":"Alpine Linux Security Update for postgresql14"},{"cve":"CVE-2019-10208","qid":"502771","title":"Alpine Linux Security Update for postgresql15"},{"cve":"CVE-2019-10208","qid":"504304","title":"Alpine Linux Security Update for postgresql14"},{"cve":"CVE-2019-10208","qid":"505663","title":"Alpine Linux Security Update for postgresql15"},{"cve":"CVE-2019-10208","qid":"730155","title":"McAfee Web Gateway Multiple Vulnerabilities(WP-3580, WP-3656, WP-3815, WP-3878, WP-3882, WP-3934,WP-3935, WP-3936, WP-3999)"},{"cve":"CVE-2019-10208","qid":"940299","title":"AlmaLinux Security Update for postgresql:9.6 (ALSA-2020:5619)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2019-10208","ASSIGNER":"secalert@redhat.com","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"PostgreSQL","product":{"product_data":[{"product_name":"postgresql","version":{"version_data":[{"version_value":"all 11.x before 11.5"},{"version_value":"all 10.x before 10.10"},{"version_value":"all 9.6.x before 9.6.15"},{"version_value":"all 9.5.x before 9.5.19"},{"version_value":"all 9.4.x before 9.4.24"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-89"}]}]},"references":{"reference_data":[{"url":"https://www.postgresql.org/about/news/1960/","refsource":"MISC","name":"https://www.postgresql.org/about/news/1960/"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10208","name":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10208","refsource":"CONFIRM"},{"refsource":"SUSE","name":"openSUSE-SU-2020:1227","url":"http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00043.html"}]},"description":{"description_data":[{"lang":"eng","value":"A flaw was discovered in postgresql versions 9.4.x before 9.4.24, 9.5.x before 9.5.19, 9.6.x before 9.6.15, 10.x before 10.10 and 11.x before 11.5 where arbitrary SQL statements can be executed given a suitable SECURITY DEFINER function. An attacker, with EXECUTE permission on the function, can execute arbitrary SQL as the owner of the function."}]},"impact":{"cvss":[[{"vectorString":"7.5/CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H","version":"3.0"}]]}},"nvd":{"publishedDate":"2019-10-29 19:15:00","lastModifiedDate":"2020-08-17 19:15:00","problem_types":["CWE-89"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":6.5},"severity":"MEDIUM","exploitabilityScore":8,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*","versionStartIncluding":"9.5.0","versionEndExcluding":"9.5.19","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*","versionStartIncluding":"9.6.0","versionEndExcluding":"9.6.15","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*","versionStartIncluding":"10.0","versionEndExcluding":"10.10","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*","versionStartIncluding":"11.0","versionEndExcluding":"11.5","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*","versionStartIncluding":"9.4.0","versionEndExcluding":"9.4.24","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2019","CveId":"10208","Ordinal":"148425","Title":"CVE-2019-10208","CVE":"CVE-2019-10208","Year":"2019"},"notes":[{"CveYear":"2019","CveId":"10208","Ordinal":"1","NoteData":"A flaw was discovered in postgresql versions 9.4.x before 9.4.24, 9.5.x before 9.5.19, 9.6.x before 9.6.15, 10.x before 10.10 and 11.x before 11.5 where arbitrary SQL statements can be executed given a suitable SECURITY DEFINER function. An attacker, with EXECUTE permission on the function, can execute arbitrary SQL as the owner of the function.","Type":"Description","Title":null},{"CveYear":"2019","CveId":"10208","Ordinal":"2","NoteData":"2019-10-29","Type":"Other","Title":"Published"},{"CveYear":"2019","CveId":"10208","Ordinal":"3","NoteData":"2020-08-17","Type":"Other","Title":"Modified"}]}}}