PostgreSQL up to 12.3 Installation Script untrusted search path

Summaryinfo

A vulnerability classified as critical has been found in PostgreSQL up to 9.5.22/9.6.18/10.13/11.8/12.3. Impacted is an unknown function of the component Installation Script. The manipulation leads to untrusted search path. This vulnerability is uniquely identified as CVE-2020-14350. Local access is required to approach this attack. No exploit exists. It is recommended to upgrade the affected component.

Detailsinfo

A vulnerability was found in PostgreSQL up to 9.5.22/9.6.18/10.13/11.8/12.3 (Database Software) and classified as critical. This issue affects some unknown processing of the component Installation Script. The manipulation with an unknown input leads to a untrusted search path vulnerability. Using CWE to declare the problem leads to CWE-426. The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control. Impacted is confidentiality, integrity, and availability. The summary by CVE is:

It was found that some PostgreSQL extensions did not use search_path safely in their installation script. An attacker with sufficient privileges could use this flaw to trick an administrator into executing a specially crafted script, during the installation or update of such extension. This affects PostgreSQL versions before 12.4, before 11.9, before 10.14, before 9.6.19, and before 9.5.23.

The weakness was disclosed 08/24/2020 (Website). It is possible to read the advisory at lists.debian.org. The identification of this vulnerability is CVE-2020-14350 since 06/17/2020. Attacking locally is a requirement. No form of authentication is needed for a successful exploitation. It demands that the victim is doing some kind of user interaction. The technical details are unknown and an exploit is not publicly available. The attack technique deployed by this issue is T1574 according to MITRE ATT&CK.

The vulnerability scanner Nessus provides a plugin with the ID 236609 (Alibaba Cloud Linux 3 : 0017: postgresql:12 (ALINUX3-SA-2021:0017)), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 9.5.23, 9.6.19, 10.14, 11.9 or 12.4 eliminates this vulnerability.

The vulnerability is also documented in the vulnerability database at Tenable (236609). The entry VDB-160186 is pretty similar. Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Type

• Database Software

Name

• PostgreSQL

Version

• 9.5.0
• 9.5.1
• 9.5.2
• 9.5.3
• 9.5.4
• 9.5.5
• 9.5.6
• 9.5.7
• 9.5.8
• 9.5.9
• 9.5.10
• 9.5.11
• 9.5.12
• 9.5.13
• 9.5.14
• 9.5.15
• 9.5.16
• 9.5.17
• 9.5.18
• 9.5.19
• 9.5.20
• 9.5.21
• 9.5.22
• 9.6.0
• 9.6.1
• 9.6.2
• 9.6.3
• 9.6.4
• 9.6.5
• 9.6.6
• 9.6.7
• 9.6.8
• 9.6.9
• 9.6.10
• 9.6.11
• 9.6.12
• 9.6.13
• 9.6.14
• 9.6.15
• 9.6.16
• 9.6.17
• 9.6.18
• 10.0
• 10.1
• 10.2
• 10.3
• 10.4
• 10.5
• 10.6
• 10.7
• 10.8
• 10.9
• 10.10
• 10.11
• 10.12
• 10.13
• 11.0
• 11.1
• 11.2
• 11.3
• 11.4
• 11.5
• 11.6
• 11.7
• 11.8
• 12.0
• 12.1
• 12.2
• 12.3

License

• open-source

Website

• Product: https://www.postgresql.org/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion