{"id":"CVE-2019-10208","details":"A flaw was discovered in postgresql versions 9.4.x before 9.4.24, 9.5.x before 9.5.19, 9.6.x before 9.6.15, 10.x before 10.10 and 11.x before 11.5 where arbitrary SQL statements can be executed given a suitable SECURITY DEFINER function. An attacker, with EXECUTE permission on the function, can execute arbitrary SQL as the owner of the function.","modified":"2026-04-16T00:07:51.645955606Z","published":"2019-10-29T19:15:16.127Z","related":["SUSE-SU-2019:2158-1","SUSE-SU-2019:2159-1","SUSE-SU-2019:2228-1","SUSE-SU-2019:2707-1","openSUSE-SU-2019:2062-1","openSUSE-SU-2020:1227-1","openSUSE-SU-2024:11184-1","openSUSE-SU-2024:11185-1"],"references":[{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00043.html"},{"type":"ADVISORY","url":"https://www.postgresql.org/about/news/1960/"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10208"}],"affected":[{"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"9.4.0"},{"fixed":"9.4.24"}]},{"events":[{"introduced":"9.5.0"},{"fixed":"9.5.19"}]},{"events":[{"introduced":"9.6.0"},{"fixed":"9.6.15"}]},{"events":[{"introduced":"10.0"},{"fixed":"10.10"}]},{"events":[{"introduced":"11.0"},{"fixed":"11.5"}]}],"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-10208.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}