First published: Tue Aug 04 2020(Updated: )
It was found that some PostgreSQL extensions did not use search_path safely in their installation script. An attacker with sufficient privileges could use this flaw to trick an administrator into executing a specially crafted script, during the installation or update of such extension. This affects PostgreSQL versions before 12.4, before 11.9, before 10.14, before 9.6.19, and before 9.5.23.
Credit: secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/rh-postgresql96-postgresql | <0:9.6.19-1.el7 | 0:9.6.19-1.el7 |
redhat/rh-postgresql10-postgresql | <0:10.14-1.el7 | 0:10.14-1.el7 |
redhat/rh-postgresql12-postgresql | <0:12.4-1.el7 | 0:12.4-1.el7 |
redhat/rhvm-appliance | <0:4.4-20210310.0.el8e | 0:4.4-20210310.0.el8e |
redhat/postgresql | <12.4 | 12.4 |
redhat/postgresql | <11.9 | 11.9 |
redhat/postgresql | <10.14 | 10.14 |
redhat/postgresql | <9.6.19 | 9.6.19 |
redhat/postgresql and | <9.5.23 | 9.5.23 |
ubuntu/postgresql-10 | <10.14-0ubuntu0.18.04.1 | 10.14-0ubuntu0.18.04.1 |
ubuntu/postgresql-10 | <10.14 | 10.14 |
ubuntu/postgresql-12 | <12.4-0ubuntu0.20.04.1 | 12.4-0ubuntu0.20.04.1 |
ubuntu/postgresql-12 | <12.4-1 | 12.4-1 |
ubuntu/postgresql-12 | <12.4-1 | 12.4-1 |
ubuntu/postgresql-9.5 | <9.5.23 | 9.5.23 |
ubuntu/postgresql-9.5 | <9.5.23-0ubuntu0.16.04.1 | 9.5.23-0ubuntu0.16.04.1 |
debian/postgresql-11 | 11.16-0+deb10u1 11.22-0+deb10u1 | |
PostgreSQL PostgreSQL | >=9.5<9.5.23 | |
PostgreSQL PostgreSQL | >=9.6<9.6.19 | |
PostgreSQL PostgreSQL | >=10.0<10.14 | |
PostgreSQL PostgreSQL | >=11.0<11.9 | |
PostgreSQL PostgreSQL | >=12.0<12.4 | |
Debian Debian Linux | =9.0 | |
openSUSE Leap | =15.1 | |
openSUSE Leap | =15.2 | |
Canonical Ubuntu Linux | =16.04 | |
Canonical Ubuntu Linux | =18.04 | |
Canonical Ubuntu Linux | =20.04 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2020-14350 is a vulnerability found in PostgreSQL that allows an attacker to execute a specially crafted script during the installation or update of certain PostgreSQL extensions.
CVE-2020-14350 has a severity rating of 7.1 (high).
PostgreSQL versions 12.4, 11.9, 10.14, 9.6.19, and 9.5.23 are affected by CVE-2020-14350.
An attacker with sufficient privileges can trick an administrator into executing a specially crafted script during the extension's installation or update.
Yes, you can find more information about CVE-2020-14350 in the following references: [link 1](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1868670), [link 2](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1868666), [link 3](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1868668).