Your submission was sent successfully! Close

You have successfully unsubscribed! Close

CVE-2020-14350

Published: 17 August 2020

It was found that some PostgreSQL extensions did not use search_path safely in their installation script. An attacker with sufficient privileges could use this flaw to trick an administrator into executing a specially crafted script, during the installation or update of such extension. This affects PostgreSQL versions before 12.4, before 11.9, before 10.14, before 9.6.19, and before 9.5.23.

Notes

AuthorNote
leosilva
Since we don't have how to give support for postgresql-9.1
that is end of life in upstream, marking as ignored to
precise.
since 9.3 has no long upstream support
and so far we have no ways to patch it
deferred it for -esm-main releases.

Priority

Medium

Cvss 3 Severity Score

7.3

Score breakdown

Status

Package Release Status
postgresql-10
Launchpad, Ubuntu, Debian
hirsute Does not exist

upstream
Released (10.14)
trusty Does not exist

xenial Does not exist

bionic
Released (10.14-0ubuntu0.18.04.1)
focal Does not exist

groovy Does not exist

kinetic Does not exist

impish Does not exist

jammy Does not exist

lunar Does not exist

postgresql-9.5
Launchpad, Ubuntu, Debian
hirsute Does not exist

kinetic Does not exist

bionic Does not exist

focal Does not exist

groovy Does not exist

impish Does not exist

jammy Does not exist

lunar Does not exist

trusty Does not exist

upstream
Released (9.5.23)
xenial
Released (9.5.23-0ubuntu0.16.04.1)
postgresql-9.3
Launchpad, Ubuntu, Debian
hirsute Does not exist

bionic Does not exist

focal Does not exist

groovy Does not exist

trusty Deferred
(2019-08-31)
kinetic Does not exist

impish Does not exist

jammy Does not exist

lunar Does not exist

upstream Needs triage

xenial Does not exist

postgresql-9.1
Launchpad, Ubuntu, Debian
hirsute Does not exist

upstream Needs triage

trusty Does not exist

xenial Does not exist

bionic Does not exist

focal Does not exist

groovy Does not exist

kinetic Does not exist

impish Does not exist

jammy Does not exist

lunar Does not exist

postgresql-12
Launchpad, Ubuntu, Debian
hirsute Does not exist

upstream
Released (12.4-1)
trusty Does not exist

xenial Does not exist

bionic Does not exist

focal
Released (12.4-0ubuntu0.20.04.1)
groovy
Released (12.4-1)
kinetic Does not exist

impish Does not exist

jammy Does not exist

lunar Does not exist

Patches:
upstream: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=7eeb1d9861b0a3f453f8b31c7648396cdd7f1e59

Severity score breakdown

Parameter Value
Base score 7.3
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction Required
Scope Unchanged
Confidentiality High
Integrity impact High
Availability impact High
Vector CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H