CVE-2019-10127 in PostgreSQL
Summary
by MITRE • 03/20/2021
A vulnerability was found in postgresql versions 11.x prior to 11.3. The Windows installer for BigSQL-supplied PostgreSQL does not lock down the ACL of the binary installation directory or the ACL of the data directory; it keeps the inherited ACL. In the default configuration, an attacker having both an unprivileged Windows account and an unprivileged PostgreSQL account can cause the PostgreSQL service account to execute arbitrary code. An attacker having only the unprivileged Windows account can read arbitrary data directory files, essentially bypassing database-imposed read access limitations. An attacker having only the unprivileged Windows account can also delete certain data directory files.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 09/07/2025
This vulnerability exists in postgresql versions 11.x prior to 11.3 within the Windows installer provided by BigSQL. The core technical flaw lies in the improper access control list implementation during installation processes where the installer fails to properly secure the binary installation directory and data directory permissions. Instead of applying restrictive access controls, the installer maintains inherited ACLs that grant excessive permissions to unprivileged accounts. This represents a classic weakness categorized under cwe-276, specifically improper privilege management and inadequate access control enforcement. The vulnerability stems from the installer's failure to implement proper security hardening measures during the installation process, creating a persistent security gap that affects the entire system.
The operational impact of this vulnerability is severe and multi-faceted for systems running affected postgresql versions. An attacker with only an unprivileged windows account can exploit this weakness to bypass database-level read access controls and gain access to arbitrary data directory files. This allows for information disclosure that essentially undermines the database's own access control mechanisms. Additionally, the vulnerability enables an attacker to delete critical data directory files, potentially causing data loss or service disruption. When combined with access to an unprivileged postgresql account, the threat model escalates significantly as the attacker can escalate privileges and execute arbitrary code under the postgresql service account. This scenario directly aligns with attack techniques described in the attack framework under privilege escalation and code execution categories.
The security implications extend beyond simple access control violations and represent a fundamental failure in the principle of least privilege during software deployment. The vulnerability demonstrates how installer processes can create persistent security weaknesses that affect system integrity and data confidentiality. Organizations running affected postgresql installations face significant risk of data breaches, unauthorized data manipulation, and potential system compromise. The weakness affects the entire postgresql service stack and can be exploited without requiring elevated privileges, making it particularly dangerous in environments where multiple users have access to the system. This vulnerability specifically impacts the integrity and confidentiality aspects of the CIA triad, with potential consequences for availability as well through file deletion capabilities. The attack vector operates through the installer's failure to properly implement security controls, which is a common pattern seen in software supply chain vulnerabilities and represents a critical gap in the security posture of database installations.