CVE-2019-10129 in PostgreSQL
Summary
by MITRE
A vulnerability was found in postgresql versions 11.x prior to 11.3. Using a purpose-crafted insert to a partitioned table, an attacker can read arbitrary bytes of server memory. In the default configuration, any user can create a partitioned table suitable for this attack. (Exploit prerequisites are the same as for CVE-2018-1052).
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 09/07/2025
This vulnerability in postgresql affects versions 11.x prior to 11.3 and represents a critical information disclosure flaw that allows attackers to read arbitrary bytes from server memory through crafted insert operations on partitioned tables. The vulnerability stems from improper handling of memory allocation and data processing within the database engine's partitioning mechanism. Attackers can exploit this by creating specially crafted insert statements that trigger memory access patterns which reveal sensitive data from the server's memory space, potentially exposing database credentials, connection details, or other confidential information.
The technical implementation of this vulnerability involves the manipulation of partitioned table structures to cause the postgresql engine to access memory locations beyond the intended data boundaries during insert operations. When an attacker creates a partitioned table and executes specific insert statements, the database engine's internal memory management routines fail to properly validate or constrain memory access, leading to information leakage. This type of vulnerability falls under the CWE-125 vulnerability category, which describes out-of-bounds read conditions where programs access memory locations beyond the boundaries of allocated buffers, and aligns with ATT&CK technique T1005 for data from local system.
The operational impact of this vulnerability is significant as it can be exploited by any user with the ability to create partitioned tables, which in default postgresql configurations is available to all database users. This makes the attack surface particularly wide since no special privileges are required beyond basic database access. The information disclosed through this vulnerability could include database connection strings, user credentials, internal database structures, or other sensitive operational data that could be leveraged for further attacks. The exploit prerequisites match those of CVE-2018-1052, indicating similar underlying memory management issues in the postgresql codebase.
Mitigation strategies for this vulnerability primarily involve upgrading to postgresql version 11.3 or later, which contains the necessary patches to prevent the memory access violations. Organizations should also implement network segmentation and access controls to limit database user privileges where possible, though these measures do not address the core vulnerability. Database administrators should conduct thorough security assessments of their partitioned table usage and monitor for unauthorized table creation activities. The fix implemented in postgresql 11.3 addresses the root cause by strengthening memory boundary checks during partitioned table operations and ensuring proper validation of insert statements before memory allocation occurs, effectively closing the information disclosure pathway that attackers could exploit to read server memory contents.