CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS
Percentile
14.2%
It was found that some PostgreSQL extensions did not use search_path safely
in their installation script. An attacker with sufficient privileges could
use this flaw to trick an administrator into executing a specially crafted
script, during the installation or update of such extension. This affects
PostgreSQL versions before 12.4, before 11.9, before 10.14, before 9.6.19,
and before 9.5.23.
Author | Note |
---|---|
leosilva | Since we don’t have how to give support for postgresql-9.1 that is end of life in upstream, marking as ignored to precise. since 9.3 has no long upstream support and so far we have no ways to patch it deferred it for -esm-main releases. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | postgresql-10 | < 10.14-0ubuntu0.18.04.1 | UNKNOWN |
ubuntu | 20.04 | noarch | postgresql-12 | < 12.4-0ubuntu0.20.04.1 | UNKNOWN |
ubuntu | 20.10 | noarch | postgresql-12 | < 12.4-1 | UNKNOWN |
ubuntu | 14.04 | noarch | postgresql-9.3 | < any | UNKNOWN |
ubuntu | 16.04 | noarch | postgresql-9.5 | < 9.5.23-0ubuntu0.16.04.1 | UNKNOWN |
CVSS2
Attack Vector
LOCAL
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS
Percentile
14.2%