PgpoolAdmin fails to restrict access permissions


PgpoolAdmin provided by PgPool Global Development Group fails to restrict access permissions (CWE-264).

Fotios Rogkotis of DarkMatter reported this vulnerability to PgPool Global Development Group, and PgPool Global Development Group reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and PgPool Global Development Group coordinated under the Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 9.8 (Critical) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 7.5 (High) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: Partial
  • Integrity Impact: Partial
  • Availability Impact: Partial
Affected Products

PgPool Global Development Group
  • PgpoolAdmin 4.0 and earlier


A remote attacker may bypass the login authentication and obtain the administrative privilege of the PostgreSQL database.

[Update the Software]
Update to the latest version according to the information provided by the developer.
Vendor Information

PgPool Global Development Group
CWE (What is CWE?)

  1. Permissions(CWE-264) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2018-16203

  1. JVN : JVN#13199224
  2. National Vulnerability Database (NVD) : CVE-2018-16203
Revision History

  • [2018/12/21]
      Web page was published
  • [2019/08/27]
      References : Content was added