CVE-2019-9193

Published: 1 April 2019

** DISPUTED ** In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_server_program' group to execute arbitrary code in the context of the database's operating system user. This functionality is enabled by default and can be abused to run arbitrary operating system commands on Windows, Linux, and macOS. NOTE: Third parties claim/state this is not an issue because PostgreSQL functionality for ‘COPY TO/FROM PROGRAM’ is acting as intended. References state that in PostgreSQL, a superuser can execute commands as the server user without using the ‘COPY FROM PROGRAM’.

Priority

CVSS 3 base score: 7.2

Status

Package	Release	Status
postgresql-10 Launchpad, Ubuntu, Debian	bionic	Not vulnerable
	cosmic	Not vulnerable
	precise	Does not exist
	trusty	Does not exist
	upstream	Needs triage
	xenial	Does not exist
postgresql-11 Launchpad, Ubuntu, Debian	bionic	Does not exist
	cosmic	Does not exist
	precise	Does not exist
	trusty	Does not exist
	upstream	Needs triage
	xenial	Does not exist
postgresql-9.1 Launchpad, Ubuntu, Debian	bionic	Does not exist
	cosmic	Does not exist
	precise	Not vulnerable
	trusty	Does not exist (trusty was not-affected)
	upstream	Needs triage
	xenial	Does not exist
postgresql-9.3 Launchpad, Ubuntu, Debian	bionic	Does not exist
	cosmic	Does not exist
	precise	Does not exist
	trusty	Not vulnerable
	upstream	Needs triage
	xenial	Does not exist
postgresql-9.5 Launchpad, Ubuntu, Debian	bionic	Does not exist
	cosmic	Does not exist
	precise	Does not exist
	trusty	Does not exist
	upstream	Needs triage
	xenial	Not vulnerable

Notes

Author	Note
mdeslaur	upstream doesn't consider this to be a security issue. Marking as not-affected

CVE-2019-9193

Medium

Status

Notes

References

Bugs

Join the discussion

Canonical is offering Extended Security Maintenance

Further reading