CVE-2019-10128 in PostgreSQL
Summary
by MITRE • 03/20/2021
A vulnerability was found in postgresql versions 11.x prior to 11.3. The Windows installer for EnterpriseDB-supplied PostgreSQL does not lock down the ACL of the binary installation directory or the ACL of the data directory; it keeps the inherited ACL. In the default configuration, this allows a local attacker to read arbitrary data directory files, essentially bypassing database-imposed read access limitations. In plausible non-default configurations, an attacker having both an unprivileged Windows account and an unprivileged PostgreSQL account can cause the PostgreSQL service account to execute arbitrary code.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 09/07/2025
This vulnerability resides in the PostgreSQL database management system version 11.x prior to 11.3 specifically affecting the Windows installer provided by EnterpriseDB. The core issue stems from inadequate access control list implementation during the installation process where the installer fails to properly secure the binary installation directory and data directory permissions. This flaw creates a persistent security weakness that allows local attackers to bypass traditional database access controls through improper directory access control mechanisms.
The technical flaw manifests as a failure to properly set restrictive access control lists on critical installation directories. When PostgreSQL is installed on Windows systems using the EnterpriseDB installer, the binary installation directory and data directory retain their inherited ACLs rather than receiving properly configured permissions. This inherited permission structure typically grants broader access rights than necessary for database operations, creating a vector for privilege escalation and information disclosure.
The operational impact of this vulnerability is significant as it enables local attackers to read arbitrary data directory files that should normally be protected by database-level access controls. This effectively bypasses the database's own security mechanisms, allowing unauthorized data access that could include sensitive information stored within the PostgreSQL instance. In more complex attack scenarios involving non-default configurations, an attacker with both unprivileged Windows account access and an unprivileged PostgreSQL account can exploit this weakness to escalate privileges and execute arbitrary code through the PostgreSQL service account.
This vulnerability aligns with CWE-276, which addresses improper file permissions, and demonstrates characteristics consistent with privilege escalation vectors in the MITRE ATT&CK framework under the privilege escalation tactic. The weakness represents a failure in the principle of least privilege during the installation phase, where default permissions are not properly restricted to prevent unauthorized access to sensitive system components. Organizations should implement immediate mitigation through patching to PostgreSQL version 11.3 or later, while also reviewing existing installation permissions to ensure proper access controls are in place. Additionally, security administrators should conduct thorough audits of PostgreSQL installations to identify and correct any inherited ACL issues that may have been introduced during previous installations.