CVE-2020-14350
Published: 17 August 2020
It was found that some PostgreSQL extensions did not use search_path safely in their installation script. An attacker with sufficient privileges could use this flaw to trick an administrator into executing a specially crafted script, during the installation or update of such extension. This affects PostgreSQL versions before 12.4, before 11.9, before 10.14, before 9.6.19, and before 9.5.23.
Priority
Medium
CVSS 3 base score: 7.3
Status
| Package | Release | Status |
|---|---|---|
|
postgresql-10 Launchpad, Ubuntu, Debian |
bionic |
Released
(10.14-0ubuntu0.18.04.1)
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(10.14)
|
|
| xenial |
Does not exist
|
|
|
postgresql-12 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Released
(12.4-0ubuntu0.20.04.1)
|
|
| groovy |
Released
(12.4-1)
|
|
| hirsute |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(12.4-1)
|
|
| xenial |
Does not exist
|
|
|
postgresql-9.1 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| precise |
Ignored
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
postgresql-9.3 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Deferred
(2019-08-31)
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
postgresql-9.5 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(9.5.23)
|
|
| xenial |
Released
(9.5.23-0ubuntu0.16.04.1)
|
Notes
| Author | Note |
|---|---|
| leosilva | Since we don't have how to give support for postgresql-9.1 that is end of life in upstream, marking as ignored to precise. since 9.3 has no long upstream support and so far we have no ways to patch it deferred it for -esm-main releases. |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14350
- https://www.postgresql.org/about/news/2060/
- https://ubuntu.com/security/notices/USN-4472-1
- NVD
- Launchpad
- Debian