CVE-2020-14350
Published: 17 August 2020
It was found that some PostgreSQL extensions did not use search_path safely in their installation script. An attacker with sufficient privileges could use this flaw to trick an administrator into executing a specially crafted script, during the installation or update of such extension. This affects PostgreSQL versions before 12.4, before 11.9, before 10.14, before 9.6.19, and before 9.5.23.
Notes
| Author | Note |
|---|---|
| leosilva | Since we don't have how to give support for postgresql-9.1 that is end of life in upstream, marking as ignored to precise. since 9.3 has no long upstream support and so far we have no ways to patch it deferred it for -esm-main releases. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
postgresql-10 Launchpad, Ubuntu, Debian |
hirsute |
Does not exist
|
| upstream |
Released
(10.14)
|
|
| trusty |
Does not exist
|
|
| xenial |
Does not exist
|
|
| bionic |
Released
(10.14-0ubuntu0.18.04.1)
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| lunar |
Does not exist
|
|
|
postgresql-9.5 Launchpad, Ubuntu, Debian |
hirsute |
Does not exist
|
| kinetic |
Does not exist
|
|
| bionic |
Does not exist
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| lunar |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(9.5.23)
|
|
| xenial |
Released
(9.5.23-0ubuntu0.16.04.1)
|
|
|
postgresql-9.3 Launchpad, Ubuntu, Debian |
hirsute |
Does not exist
|
| bionic |
Does not exist
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| trusty |
Deferred
(2019-08-31)
|
|
| kinetic |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| lunar |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
postgresql-9.1 Launchpad, Ubuntu, Debian |
hirsute |
Does not exist
|
| upstream |
Needs triage
|
|
| trusty |
Does not exist
|
|
| xenial |
Does not exist
|
|
| bionic |
Does not exist
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| lunar |
Does not exist
|
|
|
postgresql-12 Launchpad, Ubuntu, Debian |
hirsute |
Does not exist
|
| upstream |
Released
(12.4-1)
|
|
| trusty |
Does not exist
|
|
| xenial |
Does not exist
|
|
| bionic |
Does not exist
|
|
| focal |
Released
(12.4-0ubuntu0.20.04.1)
|
|
| groovy |
Released
(12.4-1)
|
|
| kinetic |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| lunar |
Does not exist
|
|
|
Patches: upstream: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=7eeb1d9861b0a3f453f8b31c7648396cdd7f1e59 |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.3 |
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |