CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
An extension script is vulnerable if it uses @extowner@
, @extschema@
, or @extschema:...@
inside a quoting construct (dollar quoting, ''
, or ""
). No bundled extension is vulnerable. Vulnerable uses do appear in a documentation example and in non-bundled extensions. Hence, the attack prerequisite is an administrator having installed files of a vulnerable, trusted, non-bundled extension. Subject to that prerequisite, this enables an attacker having database-level CREATE
privilege to execute arbitrary code as the bootstrap superuser. PostgreSQL will block this attack in the core server, so there’s no need to modify individual extensions.
The PostgreSQL project thanks Micah Gates, Valerie Woolard, Tim Carey-Smith, and Christoph Berg for reporting this problem.
Vendor | Product | Version | CPE |
---|---|---|---|
postgresql | postgresql | * | cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:* |