CVE-2019-9193: OS Command Injection
First published: Mon Apr 01 2019(Updated: )
** DISPUTED ** In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_server_program' group to execute arbitrary code in the context of the database's operating system user. This functionality is enabled by default and can be abused to run arbitrary operating system commands on Windows, Linux, and macOS. NOTE: Third parties claim/state this is not an issue because PostgreSQL functionality for ‘COPY TO/FROM PROGRAM’ is acting as intended. References state that in PostgreSQL, a superuser can execute commands as the server user without using the ‘COPY FROM PROGRAM’.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| IBM Security Verify Governance | <=10.0 | |
| PostgreSQL PostgreSQL | >=9.3<=11.2 | |
| >=9.3<=11.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://packetstormsecurity.com/files/152757/PostgreSQL-COPY-FROM-PROGRAM-Command-Execution.html
- http://packetstormsecurity.com/files/166540/PostgreSQL-11.7-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/171722/PostgreSQL-9.6.1-Remote-Code-Execution.html
- https://blog.hagander.net/when-a-vulnerability-is-not-a-vulnerability-244/
- https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5
- https://paquier.xyz/postgresql-2/postgres-9-3-feature-highlight-copy-tofrom-program/
- https://security.netapp.com/advisory/ntap-20190502-0003/
- https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/authenticated-arbitrary-command-execution-on-postgresql-9-3/
- https://exchange.xforce.ibmcloud.com/vulnerabilities/159212
- https://www.ibm.com/support/pages/node/7057377 (Advisory)
Frequently Asked Questions
What is CVE-2019-9193?
CVE-2019-9193 is a vulnerability in PostgreSQL where the "COPY TO/FROM PROGRAM" function allows authenticated attackers to execute arbitrary code on the system.
How severe is CVE-2019-9193?
CVE-2019-9193 has a severity score of 7.2 (critical).
Which software versions are affected by CVE-2019-9193?
PostgreSQL versions 9.3 through 11.2 are affected by CVE-2019-9193. Additionally, IBM Security Verify Governance version 10.0 is also affected.
How can an attacker exploit CVE-2019-9193?
By using the "COPY TO/FROM PROGRAM" function, superusers and users in the 'pg_execute_server_program' group can execute arbitrary code in the context of the database's operating system user.
Are there any references for CVE-2019-9193?
Yes, you can find references for CVE-2019-9193 at the following links: [1](http://packetstormsecurity.com/files/152757/PostgreSQL-COPY-FROM-PROGRAM-Command-Execution.html), [2](http://packetstormsecurity.com/files/166540/PostgreSQL-11.7-Remote-Code-Execution.html), [3](http://packetstormsecurity.com/files/171722/PostgreSQL-9.6.1-Remote-Code-Execution.html)
- collector/ibm-support
- agent/references
- agent/type
- agent/first-publish-date
- collector/nvd-index
- agent/software-canonical-lookup-request
- agent/severity
- agent/weakness
- agent/status
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/author
- agent/softwarecombine
- agent/description
- agent/tags
- agent/event
- vendor/ibm
- canonical/ibm security verify governance
- version/ibm security verify governance/10.0
- status/disputed
- vendor/postgresql
- canonical/postgresql postgresql
- version/postgresql postgresql/9.3
- version/postgresql postgresql/11.2