CVE-2020-14349: SQL Injection
First published: Tue Aug 04 2020(Updated: )
A flaw was found in PostgreSQL, where it did not properly sanitize the search_path during logical replication. This flaw allows an authenticated attacker to use this flaw in an attack similar to CVE-2018-1058 to execute an arbitrary SQL command in the user's context for replication. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/rh-postgresql10-postgresql | <0:10.14-1.el7 | 0:10.14-1.el7 |
| redhat/rh-postgresql12-postgresql | <0:12.4-1.el7 | 0:12.4-1.el7 |
| redhat/rhvm-appliance | <0:4.4-20210310.0.el8e | 0:4.4-20210310.0.el8e |
| redhat/postgresql | <12.4 | 12.4 |
| redhat/postgresql | <11.9 | 11.9 |
| redhat/postgresql | <10.14 | 10.14 |
| PostgreSQL PostgreSQL | >=10.0<10.14 | |
| PostgreSQL PostgreSQL | >=11.0<11.9 | |
| PostgreSQL PostgreSQL | >=12.0<12.4 | |
| openSUSE Leap | =15.1 | |
| openSUSE Leap | =15.2 | |
| debian/postgresql-11 | ||
| debian/postgresql-12 | ||
| debian/postgresql-9.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2020-14349 https://nvd.nist.gov/vuln/detail/CVE-2020-14349
- https://bugzilla.redhat.com/show_bug.cgi?id=1865744
- https://access.redhat.com/errata/RHSA-2020:3669
- https://access.redhat.com/errata/RHSA-2020:5620
- https://access.redhat.com/errata/RHSA-2020:5664
- https://access.redhat.com/errata/RHSA-2021:0166
- https://access.redhat.com/errata/RHSA-2021:0163
- https://access.redhat.com/errata/RHSA-2020:5110
- https://access.redhat.com/errata/RHSA-2020:5112
- https://access.redhat.com/errata/RHSA-2021:0988
- https://access.redhat.com/security/cve/cve-2020-14349
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00044.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00050.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00049.html
- https://security.gentoo.org/glsa/202008-13
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00003.html
- https://usn.ubuntu.com/4472-1/
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00008.html
- https://security.netapp.com/advisory/ntap-20200918-0002/
- https://launchpad.net/bugs/cve/CVE-2020-14349
- https://access.redhat.com/security/cve/CVE-2018-1058
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1868662
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1868663
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1868665
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1868667
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=11da97024abbe76b8c81e3f2375b2a62e9717c67
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=cec57b1a0fbcd3833086ba686897c5883e0a2afc
- https://www.postgresql.org/about/news/2060/
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=11da97024abbe76b8c81e3f2375b2a62e9717c67
- https://git.postgresql.org/gitweb/?p=postgresql.git;a=commit;h=cec57b1a0fbcd3833086ba686897c5883e0a2afc
- https://security-tracker.debian.org/tracker/CVE-2020-14349
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14349
- https://nvd.nist.gov/vuln/detail/CVE-2020-14349
- https://ubuntu.com/security/CVE-2020-14349
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2020-14349?
CVE-2020-14349 is a vulnerability that affects PostgreSQL versions before 12.4, before 11.9, and before 10.14. It allows an authenticated attacker to execute arbitrary SQL commands in the user's context for replication.
How does CVE-2020-14349 impact PostgreSQL?
CVE-2020-14349 impacts PostgreSQL by not properly sanitizing the search_path during logical replication, which allows an attacker to execute arbitrary SQL commands in the user's context for replication.
What is the severity of CVE-2020-14349?
CVE-2020-14349 has a severity value of 7 (high).
Which versions of PostgreSQL are affected by CVE-2020-14349?
CVE-2020-14349 affects versions before 12.4, before 11.9, and before 10.14 of PostgreSQL.
How can I fix the CVE-2020-14349 vulnerability?
To fix the CVE-2020-14349 vulnerability, you should update PostgreSQL to version 12.4, version 11.9, or version 10.14.
- collector/redhat-cve
- collector/launchpad-cve
- source/Launchpad
- agent/first-publish-date
- agent/remedy
- agent/type
- agent/author
- agent/severity
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-14349
- agent/software-canonical-lookup
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/security-tracker-debian
- source/Debian
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/softwarecombine
- agent/tags
- agent/description
- agent/event
- agent/trending
- package-manager/redhat
- vendor/postgresql
- canonical/postgresql postgresql
- version/postgresql postgresql/10.0
- version/postgresql postgresql/11.0
- version/postgresql postgresql/12.0
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/15.1
- version/opensuse leap/15.2
- package-manager/debian