Endpoint Vulnerability

PostgreSQL: SQL injection in pg_upgrade and pg_dump, via CREATE TRIGGER ... REFERENCING.

Description

A SQL Injection flaw has been discovered in PostgreSQL server in the way triggers that enable transition relations are dumped. The transition relation name is not correctly quoted and it may allow an attacker with CREATE privilege on some non-temporary schema or TRIGGER privilege on some table to create a malicious trigger that, when dumped and restored, would result in additional SQL statements being executed.

Affected Products

PostgreSQL

References

CVE-2018-16850,