Vulnerability-Lookup

CVE-2020-14349 (GCVE-0-2020-14349)

Vulnerability from cvelistv5 – Published: 2020-08-24 12:32 – Updated: 2024-08-04 12:39

Summary

It was found that PostgreSQL versions before 12.4, before 11.9 and before 10.14 did not properly sanitize the search_path during logical replication. An authenticated attacker could use this flaw in an attack similar to CVE-2018-1058, in order to execute arbitrary SQL command in the context of the user used for replication.

Severity ?

No CVSS data available.

CWE

Improper Input Validation

Assigner

redhat

References

9 references

URL	Tags
http://lists.opensuse.org/opensuse-security-annou…	vendor-advisoryx_refsource_SUSE
http://lists.opensuse.org/opensuse-security-annou…	vendor-advisoryx_refsource_SUSE
http://lists.opensuse.org/opensuse-security-annou…	vendor-advisoryx_refsource_SUSE
https://bugzilla.redhat.com/show_bug.cgi?id=1865744	x_refsource_MISC
https://security.gentoo.org/glsa/202008-13	vendor-advisoryx_refsource_GENTOO
https://usn.ubuntu.com/4472-1/	vendor-advisoryx_refsource_UBUNTU
http://lists.opensuse.org/opensuse-security-annou…	vendor-advisoryx_refsource_SUSE
http://lists.opensuse.org/opensuse-security-annou…	vendor-advisoryx_refsource_SUSE
https://security.netapp.com/advisory/ntap-2020091…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
n/a	PostgreSQL	Affected: PostgreSQL versions before 12.4, before 11.9 and before 10.14

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T12:39:36.599Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "openSUSE-SU-2020:1228",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00044.html"
          },
          {
            "name": "openSUSE-SU-2020:1244",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00049.html"
          },
          {
            "name": "openSUSE-SU-2020:1243",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00050.html"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1865744"
          },
          {
            "name": "GLSA-202008-13",
            "tags": [
              "vendor-advisory",
              "x_refsource_GENTOO",
              "x_transferred"
            ],
            "url": "https://security.gentoo.org/glsa/202008-13"
          },
          {
            "name": "USN-4472-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4472-1/"
          },
          {
            "name": "openSUSE-SU-2020:1312",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00003.html"
          },
          {
            "name": "openSUSE-SU-2020:1326",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00008.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20200918-0002/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "PostgreSQL",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "PostgreSQL versions before 12.4, before 11.9 and before 10.14"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "It was found that PostgreSQL versions before 12.4, before 11.9 and before 10.14 did not properly sanitize the search_path during logical replication. An authenticated attacker could use this flaw in an attack similar to CVE-2018-1058, in order to execute arbitrary SQL command in the context of the user used for replication."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Improper Input Validation",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-09-18T11:06:17.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "name": "openSUSE-SU-2020:1228",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00044.html"
        },
        {
          "name": "openSUSE-SU-2020:1244",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00049.html"
        },
        {
          "name": "openSUSE-SU-2020:1243",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00050.html"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1865744"
        },
        {
          "name": "GLSA-202008-13",
          "tags": [
            "vendor-advisory",
            "x_refsource_GENTOO"
          ],
          "url": "https://security.gentoo.org/glsa/202008-13"
        },
        {
          "name": "USN-4472-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/4472-1/"
        },
        {
          "name": "openSUSE-SU-2020:1312",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00003.html"
        },
        {
          "name": "openSUSE-SU-2020:1326",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00008.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20200918-0002/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2020-14349",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "PostgreSQL",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "PostgreSQL versions before 12.4, before 11.9 and before 10.14"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "It was found that PostgreSQL versions before 12.4, before 11.9 and before 10.14 did not properly sanitize the search_path during logical replication. An authenticated attacker could use this flaw in an attack similar to CVE-2018-1058, in order to execute arbitrary SQL command in the context of the user used for replication."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Improper Input Validation"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "openSUSE-SU-2020:1228",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00044.html"
            },
            {
              "name": "openSUSE-SU-2020:1244",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00049.html"
            },
            {
              "name": "openSUSE-SU-2020:1243",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00050.html"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=1865744",
              "refsource": "MISC",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1865744"
            },
            {
              "name": "GLSA-202008-13",
              "refsource": "GENTOO",
              "url": "https://security.gentoo.org/glsa/202008-13"
            },
            {
              "name": "USN-4472-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/4472-1/"
            },
            {
              "name": "openSUSE-SU-2020:1312",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00003.html"
            },
            {
              "name": "openSUSE-SU-2020:1326",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00008.html"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20200918-0002/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20200918-0002/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2020-14349",
    "datePublished": "2020-08-24T12:32:13.000Z",
    "dateReserved": "2020-06-17T00:00:00.000Z",
    "dateUpdated": "2024-08-04T12:39:36.599Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2020-14349",
      "date": "2026-05-24",
      "epss": "0.01548",
      "percentile": "0.81637"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"10.0\", \"versionEndExcluding\": \"10.14\", \"matchCriteriaId\": \"66E3FC4A-00FF-4006-A9E6-7B9ED8EB3F2E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"11.0\", \"versionEndExcluding\": \"11.9\", \"matchCriteriaId\": \"B74FDCC8-2D95-45FB-B8DE-2C1AAA71D446\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"12.0\", \"versionEndExcluding\": \"12.4\", \"matchCriteriaId\": \"5300CA7F-5BB7-40BA-9237-C4865C1373CF\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B620311B-34A3-48A6-82DF-6F078D7A4493\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B009C22E-30A4-4288-BCF6-C3E81DEAF45A\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"It was found that PostgreSQL versions before 12.4, before 11.9 and before 10.14 did not properly sanitize the search_path during logical replication. An authenticated attacker could use this flaw in an attack similar to CVE-2018-1058, in order to execute arbitrary SQL command in the context of the user used for replication.\"}, {\"lang\": \"es\", \"value\": \"Se detect\\u00f3 que las versiones de PostgreSQL anteriores a 12.4, anteriores a 11.9 y anteriores a 10.14, no saneban apropiadamente la funci\\u00f3n search_path durante la replicaci\\u00f3n l\\u00f3gica. Un atacante autenticado podr\\u00eda usar este fallo en un ataque similar al CVE-2018-1058, para ejecutar un comando SQL arbitrario en el contexto del usuario usado para la replicaci\\u00f3n.\"}]",
      "id": "CVE-2020-14349",
      "lastModified": "2024-11-21T05:03:04.083",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H\", \"baseScore\": 7.1, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.2, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:H/Au:S/C:P/I:P/A:P\", \"baseScore\": 4.6, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"HIGH\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 3.9, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
      "published": "2020-08-24T13:15:10.903",
      "references": "[{\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00044.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Broken Link\", \"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00049.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00050.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00003.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00008.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=1865744\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Issue Tracking\", \"Third Party Advisory\"]}, {\"url\": \"https://security.gentoo.org/glsa/202008-13\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20200918-0002/\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://usn.ubuntu.com/4472-1/\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00044.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Broken Link\", \"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00049.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00050.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00003.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00008.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=1865744\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\", \"Third Party Advisory\"]}, {\"url\": \"https://security.gentoo.org/glsa/202008-13\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://security.netapp.com/advisory/ntap-20200918-0002/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://usn.ubuntu.com/4472-1/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "secalert@redhat.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-89\"}, {\"lang\": \"en\", \"value\": \"CWE-427\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-14349\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2020-08-24T13:15:10.903\",\"lastModified\":\"2024-11-21T05:03:04.083\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"It was found that PostgreSQL versions before 12.4, before 11.9 and before 10.14 did not properly sanitize the search_path during logical replication. An authenticated attacker could use this flaw in an attack similar to CVE-2018-1058, in order to execute arbitrary SQL command in the context of the user used for replication.\"},{\"lang\":\"es\",\"value\":\"Se detect\u00f3 que las versiones de PostgreSQL anteriores a 12.4, anteriores a 11.9 y anteriores a 10.14, no saneban apropiadamente la funci\u00f3n search_path durante la replicaci\u00f3n l\u00f3gica. Un atacante autenticado podr\u00eda usar este fallo en un ataque similar al CVE-2018-1058, para ejecutar un comando SQL arbitrario en el contexto del usuario usado para la replicaci\u00f3n.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.2,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:H/Au:S/C:P/I:P/A:P\",\"baseScore\":4.6,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"HIGH\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":3.9,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"},{\"lang\":\"en\",\"value\":\"CWE-427\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"10.0\",\"versionEndExcluding\":\"10.14\",\"matchCriteriaId\":\"66E3FC4A-00FF-4006-A9E6-7B9ED8EB3F2E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"11.0\",\"versionEndExcluding\":\"11.9\",\"matchCriteriaId\":\"B74FDCC8-2D95-45FB-B8DE-2C1AAA71D446\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"12.0\",\"versionEndExcluding\":\"12.4\",\"matchCriteriaId\":\"5300CA7F-5BB7-40BA-9237-C4865C1373CF\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B620311B-34A3-48A6-82DF-6F078D7A4493\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B009C22E-30A4-4288-BCF6-C3E81DEAF45A\"}]}]}],\"references\":[{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00044.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Broken Link\",\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00049.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00050.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00003.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00008.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=1865744\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/202008-13\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20200918-0002/\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://usn.ubuntu.com/4472-1/\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00044.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\",\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00049.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00050.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00003.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00008.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=1865744\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/202008-13\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20200918-0002/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://usn.ubuntu.com/4472-1/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}

CERTFR-2020-AVI-510

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans PostgreSQL. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
PostgreSQL	PostgreSQL	PostgreSQL versions 12.x antérieures à 12.4
PostgreSQL	PostgreSQL	PostgreSQL versions 10.x antérieures à 10.14
PostgreSQL	PostgreSQL	PostgreSQL versions 11.x antérieures à 11.9
PostgreSQL	PostgreSQL	PostgreSQL versions 9.6.x antérieures à 9.6.19
PostgreSQL	PostgreSQL	PostgreSQL versions 9.5.x antérieures à 9.5.23

References

Title

Publication Time

CERTFR-2020-AVI-510

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans PostgreSQL. Elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
PostgreSQL	PostgreSQL	PostgreSQL versions 12.x antérieures à 12.4
PostgreSQL	PostgreSQL	PostgreSQL versions 10.x antérieures à 10.14
PostgreSQL	PostgreSQL	PostgreSQL versions 11.x antérieures à 11.9
PostgreSQL	PostgreSQL	PostgreSQL versions 9.6.x antérieures à 9.6.19
PostgreSQL	PostgreSQL	PostgreSQL versions 9.5.x antérieures à 9.5.23

References

Title

Publication Time

alsa-2020:5620

Vulnerability from osv_almalinux

Published

2020-12-17 15:30

Modified

2020-12-17 15:30

Summary

Important: postgresql:12 security update

Details

PostgreSQL is an advanced object-relational database management system (DBMS).

The following packages have been upgraded to a later upstream version: postgresql (12.5).

Security Fix(es):

postgresql: Reconnection can downgrade connection security settings (CVE-2020-25694)
postgresql: Multiple features escape "security restricted operation" sandbox (CVE-2020-25695)
postgresql: Uncontrolled search path element in logical replication (CVE-2020-14349)
postgresql: Uncontrolled search path element in CREATE EXTENSION (CVE-2020-14350)
postgresql: psql's \gset allows overwriting specially treated variables (CVE-2020-25696)
postgresql: ALTER ... DEPENDS ON EXTENSION is missing authorization checks (CVE-2020-1720)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References

URL

Type

	https://errata.almalinux.org/8/ALSA-2020-5620.html	ADVISORY
	https://vulners.com/cve/CVE-2020-14349	REPORT
	https://vulners.com/cve/CVE-2020-14350	REPORT
	https://vulners.com/cve/CVE-2020-1720	REPORT
	https://vulners.com/cve/CVE-2020-25694	REPORT
	https://vulners.com/cve/CVE-2020-25695	REPORT
	https://vulners.com/cve/CVE-2020-25696	REPORT

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "postgres-decoderbufs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.10.0-2.module_el8.6.0+2760+1746ec94"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "AlmaLinux:8",
        "name": "postgres-decoderbufs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.10.0-2.module_el8.6.0+2758+4f4474df"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "details": "PostgreSQL is an advanced object-relational database management system (DBMS).\n\nThe following packages have been upgraded to a later upstream version: postgresql (12.5).\n\nSecurity Fix(es):\n\n* postgresql: Reconnection can downgrade connection security settings (CVE-2020-25694)\n\n* postgresql: Multiple features escape \"security restricted operation\" sandbox (CVE-2020-25695)\n\n* postgresql: Uncontrolled search path element in logical replication (CVE-2020-14349)\n\n* postgresql: Uncontrolled search path element in CREATE EXTENSION (CVE-2020-14350)\n\n* postgresql: psql\u0027s \\gset allows overwriting specially treated variables (CVE-2020-25696)\n\n* postgresql: ALTER ... DEPENDS ON EXTENSION is missing authorization checks (CVE-2020-1720)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.",
  "id": "ALSA-2020:5620",
  "modified": "2020-12-17T15:30:10Z",
  "published": "2020-12-17T15:30:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://errata.almalinux.org/8/ALSA-2020-5620.html"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2020-14349"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2020-14350"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2020-1720"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2020-25694"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2020-25695"
    },
    {
      "type": "REPORT",
      "url": "https://vulners.com/cve/CVE-2020-25696"
    }
  ],
  "related": [
    "CVE-2020-25694",
    "CVE-2020-25695",
    "CVE-2020-14349",
    "CVE-2020-14350",
    "CVE-2020-25696",
    "CVE-2020-1720"
  ],
  "summary": "Important: postgresql:12 security update"
}

BDU:2023-00613

Vulnerability from fstec - Published: 17.06.2020

Title

Уязвимость системы управления базами данных PostgreSQL, связанная с неконтролируемым элементом пути поиска, позволяющая нарушителю повысить свои привилегии и выполнить произвольные команды

Description

Уязвимость системы управления базами данных PostgreSQL связана с неконтролируемым элементом пути поиска при обработке параметра search_path. Эксплуатация уязвимости может позволить нарушителю, действующему удаленно, повысить свои привилегии и выполнить произвольные команды

Severity ?


                    
                      AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Vendor

Canonical Ltd., Red Hat Inc., Novell Inc., PostgreSQL Global Development Group, АО «ИВК», АО "НППКТ", Postgres Professional

Software Name

Ubuntu, Red Hat Virtualization, Red Hat Enterprise Linux, OpenSUSE Leap, Red Hat Software Collections, PostgreSQL, Альт 8 СП (запись в едином реестре российских программ №4305), ОСОН ОСнова Оnyx (запись в едином реестре российских программ №5913), Postgres Pro Certified (запись в едином реестре российских программ №104)

Software Version

18.04 LTS (Ubuntu), 4 (Red Hat Virtualization), 8 (Red Hat Enterprise Linux), 15.1 (OpenSUSE Leap), - (Red Hat Software Collections), 8.0 Update Services for SAP Solutions (Red Hat Enterprise Linux), 20.04 LTS (Ubuntu), 15.2 (OpenSUSE Leap), 8.1 Extended Update Support (Red Hat Enterprise Linux), 8.2 Extended Update Support (Red Hat Enterprise Linux), от 10.0 до 10.14 (PostgreSQL), от 11.0 до 11.9 (PostgreSQL), от 12.0 до 12.4 (PostgreSQL), - (Альт 8 СП), до 2.3 (ОСОН ОСнова Оnyx), до 11.11.1 (Postgres Pro Certified)

Possible Mitigations

Использование рекомендаций: Для PostgreSQL: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=cec57b1a0fbcd3833086ba686897c5883e0a2afc https://www.postgresql.org/support/security/CVE-2020-14349/ Для Postgres Pro Certified: https://postgrespro.ru/products/postgrespro/certified Для Ubuntu: https://ubuntu.com/security/notices/USN-4472-1 Для программных продуктов Novell Inc.: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/RVKTSYB6VOWNCXMN2C6CHUQBVHCRICIH/ https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/KCFAAI7HQKWBFPQVB7SCZVKD3NQX2N52/ https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/25COAMDPKIB3AWDKP6IEG35QG2IFIZ7W/ https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/JBQ6CL4MQALOVA7GHHQK6R3AD3MXSR5R/ https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/6NJOWPOFFUYUXLYYWXZGSLK4YBDYXAES/ Для ОСОН ОСнова Оnyx: Обновление программного обеспечения postgresql-11 до версии 11.13+repack1-1.pgdg100+1+osnova2 Для ОС Альт 8 СП: установка обновления из публичного репозитория программного средства

Reference

https://nvd.nist.gov/vuln/detail/CVE-2020-14349 https://ubuntu.com/security/notices/USN-4472-1 https://security.gentoo.org/glsa/202008-13 https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/RVKTSYB6VOWNCXMN2C6CHUQBVHCRICIH/ https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/KCFAAI7HQKWBFPQVB7SCZVKD3NQX2N52/ https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/25COAMDPKIB3AWDKP6IEG35QG2IFIZ7W/ https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/JBQ6CL4MQALOVA7GHHQK6R3AD3MXSR5R/ https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/6NJOWPOFFUYUXLYYWXZGSLK4YBDYXAES/ https://www.postgresql.org/support/security/CVE-2020-14349/ https://vuldb.com/ru/?id.160186 https://поддержка.нппкт.рф/bin/view/ОСнова/Обновления/2.3/ https://postgrespro.ru/products/postgrespro/certified https://altsp.su/obnovleniya-bezopasnosti/

CWE

CWE-20, CWE-89, CWE-427

JSON

To clipboard

{
  "CVSS 2.0": "AV:N/AC:H/Au:S/C:C/I:C/A:C",
  "CVSS 3.0": "AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
  "CVSS 4.0": null,
  "remediation_\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": null,
  "remediation_\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435": null,
  "\u0412\u0435\u043d\u0434\u043e\u0440 \u041f\u041e": "Canonical Ltd., Red Hat Inc., Novell Inc., PostgreSQL Global Development Group, \u0410\u041e \u00ab\u0418\u0412\u041a\u00bb, \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\", Postgres Professional",
  "\u0412\u0435\u0440\u0441\u0438\u044f \u041f\u041e": "18.04 LTS (Ubuntu), 4 (Red Hat Virtualization), 8 (Red Hat Enterprise Linux), 15.1 (OpenSUSE Leap), - (Red Hat Software Collections), 8.0 Update Services for SAP Solutions (Red Hat Enterprise Linux), 20.04 LTS (Ubuntu), 15.2 (OpenSUSE Leap), 8.1 Extended Update Support (Red Hat Enterprise Linux), 8.2 Extended Update Support (Red Hat Enterprise Linux), \u043e\u0442 10.0 \u0434\u043e 10.14 (PostgreSQL), \u043e\u0442 11.0 \u0434\u043e 11.9 (PostgreSQL), \u043e\u0442 12.0 \u0434\u043e 12.4 (PostgreSQL), - (\u0410\u043b\u044c\u0442 8 \u0421\u041f), \u0434\u043e 2.3 (\u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx), \u0434\u043e 11.11.1 (Postgres Pro Certified)",
  "\u0412\u043e\u0437\u043c\u043e\u0436\u043d\u044b\u0435 \u043c\u0435\u0440\u044b \u043f\u043e \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044e": "\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439:\n\u0414\u043b\u044f PostgreSQL:\nhttps://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=cec57b1a0fbcd3833086ba686897c5883e0a2afc\nhttps://www.postgresql.org/support/security/CVE-2020-14349/\n\n\u0414\u043b\u044f Postgres Pro Certified:\nhttps://postgrespro.ru/products/postgrespro/certified\n\n\u0414\u043b\u044f Ubuntu:\nhttps://ubuntu.com/security/notices/USN-4472-1\n\n\u0414\u043b\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u044b\u0445 \u043f\u0440\u043e\u0434\u0443\u043a\u0442\u043e\u0432 Novell Inc.:\nhttps://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/RVKTSYB6VOWNCXMN2C6CHUQBVHCRICIH/\nhttps://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/KCFAAI7HQKWBFPQVB7SCZVKD3NQX2N52/\nhttps://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/25COAMDPKIB3AWDKP6IEG35QG2IFIZ7W/\nhttps://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/JBQ6CL4MQALOVA7GHHQK6R3AD3MXSR5R/\nhttps://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/6NJOWPOFFUYUXLYYWXZGSLK4YBDYXAES/\n\n\u0414\u043b\u044f \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx:\n\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f postgresql-11 \u0434\u043e \u0432\u0435\u0440\u0441\u0438\u0438 11.13+repack1-1.pgdg100+1+osnova2\n\n\u0414\u043b\u044f \u041e\u0421 \u0410\u043b\u044c\u0442 8 \u0421\u041f: \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u043a\u0430 \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f \u0438\u0437 \u043f\u0443\u0431\u043b\u0438\u0447\u043d\u043e\u0433\u043e \u0440\u0435\u043f\u043e\u0437\u0438\u0442\u043e\u0440\u0438\u044f \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430",
  "\u0414\u0430\u0442\u0430 \u0432\u044b\u044f\u0432\u043b\u0435\u043d\u0438\u044f": "17.06.2020",
  "\u0414\u0430\u0442\u0430 \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0433\u043e \u043e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f": "16.09.2024",
  "\u0414\u0430\u0442\u0430 \u043f\u0443\u0431\u043b\u0438\u043a\u0430\u0446\u0438\u0438": "08.02.2023",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440": "BDU:2023-00613",
  "\u0418\u0434\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u043e\u0440\u044b \u0434\u0440\u0443\u0433\u0438\u0445 \u0441\u0438\u0441\u0442\u0435\u043c \u043e\u043f\u0438\u0441\u0430\u043d\u0438\u0439 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "CVE-2020-14349",
  "\u0418\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f \u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0430",
  "\u041a\u043b\u0430\u0441\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043a\u043e\u0434\u0430",
  "\u041d\u0430\u0437\u0432\u0430\u043d\u0438\u0435 \u041f\u041e": "Ubuntu, Red Hat Virtualization, Red Hat Enterprise Linux, OpenSUSE Leap, Red Hat Software Collections, PostgreSQL, \u0410\u043b\u044c\u0442 8 \u0421\u041f (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21164305), \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913), Postgres Pro Certified (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u2116104)",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u041e\u0421 \u0438 \u0442\u0438\u043f \u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u044b": "Canonical Ltd. Ubuntu 18.04 LTS , Red Hat Inc. Red Hat Enterprise Linux 8 , Novell Inc. OpenSUSE Leap 15.1 , Red Hat Inc. Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions , Canonical Ltd. Ubuntu 20.04 LTS , Novell Inc. OpenSUSE Leap 15.2 , Red Hat Inc. Red Hat Enterprise Linux 8.1 Extended Update Support , Red Hat Inc. Red Hat Enterprise Linux 8.2 Extended Update Support , \u0410\u041e \u00ab\u0418\u0412\u041a\u00bb \u0410\u043b\u044c\u0442 8 \u0421\u041f -  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21164305), \u0410\u041e \"\u041d\u041f\u041f\u041a\u0422\" \u041e\u0421\u041e\u041d \u041e\u0421\u043d\u043e\u0432\u0430 \u041enyx \u0434\u043e 2.3  (\u0437\u0430\u043f\u0438\u0441\u044c \u0432 \u0435\u0434\u0438\u043d\u043e\u043c \u0440\u0435\u0435\u0441\u0442\u0440\u0435 \u0440\u043e\u0441\u0441\u0438\u0439\u0441\u043a\u0438\u0445 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c \u21165913)",
  "\u041d\u0430\u0438\u043c\u0435\u043d\u043e\u0432\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0441\u0438\u0441\u0442\u0435\u043c\u044b \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u0431\u0430\u0437\u0430\u043c\u0438 \u0434\u0430\u043d\u043d\u044b\u0445 PostgreSQL, \u0441\u0432\u044f\u0437\u0430\u043d\u043d\u0430\u044f \u0441 \u043d\u0435\u043a\u043e\u043d\u0442\u0440\u043e\u043b\u0438\u0440\u0443\u0435\u043c\u044b\u043c \u044d\u043b\u0435\u043c\u0435\u043d\u0442\u043e\u043c \u043f\u0443\u0442\u0438 \u043f\u043e\u0438\u0441\u043a\u0430, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e \u043f\u043e\u0432\u044b\u0441\u0438\u0442\u044c \u0441\u0432\u043e\u0438 \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0438 \u0438 \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0435 \u043a\u043e\u043c\u0430\u043d\u0434\u044b",
  "\u041d\u0430\u043b\u0438\u0447\u0438\u0435 \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442\u0430": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "\u041d\u0435\u0434\u043e\u0441\u0442\u0430\u0442\u043e\u0447\u043d\u0430\u044f \u043f\u0440\u043e\u0432\u0435\u0440\u043a\u0430 \u0432\u0432\u043e\u0434\u0438\u043c\u044b\u0445 \u0434\u0430\u043d\u043d\u044b\u0445 (CWE-20), \u041d\u0435\u043f\u0440\u0438\u043d\u044f\u0442\u0438\u0435 \u043c\u0435\u0440 \u043f\u043e \u0437\u0430\u0449\u0438\u0442\u0435 \u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u044b \u0437\u0430\u043f\u0440\u043e\u0441\u0430 SQL (\u0430\u0442\u0430\u043a\u0438 \u0442\u0438\u043f\u0430 \\\"\u0432\u043d\u0435\u0434\u0440\u0435\u043d\u0438\u0435  SQL\\\") (CWE-89), \u041d\u0435\u043a\u043e\u043d\u0442\u0440\u043e\u043b\u0438\u0440\u0443\u0435\u043c\u044b\u0439 \u044d\u043b\u0435\u043c\u0435\u043d\u0442 \u043f\u0443\u0442\u0438 \u043f\u043e\u0438\u0441\u043a\u0430 (CWE-427)",
  "\u041e\u043f\u0438\u0441\u0430\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0441\u0438\u0441\u0442\u0435\u043c\u044b \u0443\u043f\u0440\u0430\u0432\u043b\u0435\u043d\u0438\u044f \u0431\u0430\u0437\u0430\u043c\u0438 \u0434\u0430\u043d\u043d\u044b\u0445 PostgreSQL \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043d\u0435\u043a\u043e\u043d\u0442\u0440\u043e\u043b\u0438\u0440\u0443\u0435\u043c\u044b\u043c \u044d\u043b\u0435\u043c\u0435\u043d\u0442\u043e\u043c \u043f\u0443\u0442\u0438 \u043f\u043e\u0438\u0441\u043a\u0430 \u043f\u0440\u0438 \u043e\u0431\u0440\u0430\u0431\u043e\u0442\u043a\u0435 \u043f\u0430\u0440\u0430\u043c\u0435\u0442\u0440\u0430 search_path. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u043f\u043e\u0432\u044b\u0441\u0438\u0442\u044c \u0441\u0432\u043e\u0438 \u043f\u0440\u0438\u0432\u0438\u043b\u0435\u0433\u0438\u0438 \u0438 \u0432\u044b\u043f\u043e\u043b\u043d\u0438\u0442\u044c \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u043b\u044c\u043d\u044b\u0435 \u043a\u043e\u043c\u0430\u043d\u0434\u044b",
  "\u041f\u043e\u0441\u043b\u0435\u0434\u0441\u0442\u0432\u0438\u044f \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": null,
  "\u041f\u0440\u043e\u0447\u0430\u044f \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u044f": null,
  "\u0421\u0432\u044f\u0437\u044c \u0441 \u0438\u043d\u0446\u0438\u0434\u0435\u043d\u0442\u0430\u043c\u0438 \u0418\u0411": "\u0414\u0430\u043d\u043d\u044b\u0435 \u0443\u0442\u043e\u0447\u043d\u044f\u044e\u0442\u0441\u044f",
  "\u0421\u043e\u0441\u0442\u043e\u044f\u043d\u0438\u0435 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041e\u043f\u0443\u0431\u043b\u0438\u043a\u043e\u0432\u0430\u043d\u0430",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u0443\u0441\u0442\u0440\u0430\u043d\u0435\u043d\u0438\u044f": "\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u0435 \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e\u0433\u043e \u043e\u0431\u0435\u0441\u043f\u0435\u0447\u0435\u043d\u0438\u044f",
  "\u0421\u043f\u043e\u0441\u043e\u0431 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438": "\u041f\u043e\u0434\u043c\u0435\u043d\u0430 \u043f\u0440\u0438 \u0432\u0437\u0430\u0438\u043c\u043e\u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0438, \u041c\u0430\u043d\u0438\u043f\u0443\u043b\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u0441\u0443\u0440\u0441\u0430\u043c\u0438, \u0418\u043d\u044a\u0435\u043a\u0446\u0438\u044f",
  "\u0421\u0441\u044b\u043b\u043a\u0438 \u043d\u0430 \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0438": "https://nvd.nist.gov/vuln/detail/CVE-2020-14349\nhttps://ubuntu.com/security/notices/USN-4472-1\nhttps://security.gentoo.org/glsa/202008-13\nhttps://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/RVKTSYB6VOWNCXMN2C6CHUQBVHCRICIH/\nhttps://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/KCFAAI7HQKWBFPQVB7SCZVKD3NQX2N52/\nhttps://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/25COAMDPKIB3AWDKP6IEG35QG2IFIZ7W/\nhttps://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/JBQ6CL4MQALOVA7GHHQK6R3AD3MXSR5R/\nhttps://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/6NJOWPOFFUYUXLYYWXZGSLK4YBDYXAES/\nhttps://www.postgresql.org/support/security/CVE-2020-14349/\nhttps://vuldb.com/ru/?id.160186\nhttps://\u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u0430.\u043d\u043f\u043f\u043a\u0442.\u0440\u0444/bin/view/\u041e\u0421\u043d\u043e\u0432\u0430/\u041e\u0431\u043d\u043e\u0432\u043b\u0435\u043d\u0438\u044f/2.3/\nhttps://postgrespro.ru/products/postgrespro/certified\nhttps://altsp.su/obnovleniya-bezopasnosti/",
  "\u0421\u0442\u0430\u0442\u0443\u0441 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0430 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u0435\u043c",
  "\u0422\u0438\u043f \u041f\u041e": "\u041e\u043f\u0435\u0440\u0430\u0446\u0438\u043e\u043d\u043d\u0430\u044f \u0441\u0438\u0441\u0442\u0435\u043c\u0430, \u041f\u041e \u0432\u0438\u0440\u0442\u0443\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438/\u041f\u041e \u0432\u0438\u0440\u0442\u0443\u0430\u043b\u044c\u043d\u043e\u0433\u043e \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u043d\u043e-\u0430\u043f\u043f\u0430\u0440\u0430\u0442\u043d\u043e\u0433\u043e \u0441\u0440\u0435\u0434\u0441\u0442\u0432\u0430, \u041f\u0440\u0438\u043a\u043b\u0430\u0434\u043d\u043e\u0435 \u041f\u041e \u0438\u043d\u0444\u043e\u0440\u043c\u0430\u0446\u0438\u043e\u043d\u043d\u044b\u0445 \u0441\u0438\u0441\u0442\u0435\u043c, \u0421\u0423\u0411\u0414, \u041f\u041e \u0434\u043b\u044f \u0440\u0430\u0437\u0440\u0430\u0431\u043e\u0442\u043a\u0438 \u0418\u0418",
  "\u0422\u0438\u043f \u043e\u0448\u0438\u0431\u043a\u0438 CWE": "CWE-20, CWE-89, CWE-427",
  "\u0423\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438": "\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 2.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,1)\n\u0412\u044b\u0441\u043e\u043a\u0438\u0439 \u0443\u0440\u043e\u0432\u0435\u043d\u044c \u043e\u043f\u0430\u0441\u043d\u043e\u0441\u0442\u0438 (\u0431\u0430\u0437\u043e\u0432\u0430\u044f \u043e\u0446\u0435\u043d\u043a\u0430 CVSS 3.0 \u0441\u043e\u0441\u0442\u0430\u0432\u043b\u044f\u0435\u0442 7,5)"
}

bit-postgresql-2020-14349

Vulnerability from bitnami_vulndb

Published

2024-03-06 11:06

Modified

2025-04-03 14:40

Summary

Details

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Bitnami",
        "name": "postgresql",
        "purl": "pkg:bitnami/postgresql"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "10.0.0"
            },
            {
              "fixed": "10.14.0"
            },
            {
              "introduced": "11.0.0"
            },
            {
              "fixed": "11.9.0"
            },
            {
              "introduced": "12.0.0"
            },
            {
              "fixed": "12.4.0"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "severity": [
        {
          "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
          "type": "CVSS_V3"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-14349"
  ],
  "database_specific": {
    "cpes": [
      "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*"
    ],
    "severity": "High"
  },
  "details": "It was found that PostgreSQL versions before 12.4, before 11.9 and before 10.14 did not properly sanitize the search_path during logical replication. An authenticated attacker could use this flaw in an attack similar to CVE-2018-1058, in order to execute arbitrary SQL command in the context of the user used for replication.",
  "id": "BIT-postgresql-2020-14349",
  "modified": "2025-04-03T14:40:37.652Z",
  "published": "2024-03-06T11:06:51.679Z",
  "references": [
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00044.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00049.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00050.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00003.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00008.html"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1865744"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202008-13"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20200918-0002/"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4472-1/"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14349"
    }
  ],
  "schema_version": "1.5.0"
}

cleanstart-2026-fw42039

Vulnerability from cleanstart

Published

2026-01-30 17:19

Modified

2026-01-29 18:58

Summary

vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT

Details

Multiple security vulnerabilities affect the postgresql package. A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. See references for individual vulnerability details.

Severity

9.8 (Critical)


                    
                      CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

URL

Type

	https://github.com/cleanstart-dev/cleanstart-secu…	ADVISORY
	https://osv.dev/vulnerability/CVE-2017-15098	WEB
	https://osv.dev/vulnerability/CVE-2017-15099	WEB
	https://osv.dev/vulnerability/CVE-2017-7484	WEB
	https://osv.dev/vulnerability/CVE-2017-7485	WEB
	https://osv.dev/vulnerability/CVE-2017-7486	WEB
	https://osv.dev/vulnerability/CVE-2017-7546	WEB
	https://osv.dev/vulnerability/CVE-2017-7547	WEB
	https://osv.dev/vulnerability/CVE-2017-7548	WEB
	https://osv.dev/vulnerability/CVE-2018-1052	WEB
	https://osv.dev/vulnerability/CVE-2018-1058	WEB
	https://osv.dev/vulnerability/CVE-2018-16850	WEB
	https://osv.dev/vulnerability/CVE-2019-10129	WEB
	https://osv.dev/vulnerability/CVE-2019-10130	WEB
	https://osv.dev/vulnerability/CVE-2019-10208	WEB
	https://osv.dev/vulnerability/CVE-2019-10209	WEB
	https://osv.dev/vulnerability/CVE-2020-14349	WEB
	https://osv.dev/vulnerability/CVE-2020-14350	WEB
	https://osv.dev/vulnerability/CVE-2020-25694	WEB
	https://osv.dev/vulnerability/CVE-2020-25695	WEB
	https://osv.dev/vulnerability/CVE-2020-25696	WEB
	https://osv.dev/vulnerability/CVE-2021-20229	WEB
	https://osv.dev/vulnerability/CVE-2021-23214	WEB
	https://osv.dev/vulnerability/CVE-2021-32027	WEB
	https://osv.dev/vulnerability/CVE-2021-32028	WEB
	https://osv.dev/vulnerability/CVE-2021-32029	WEB
	https://osv.dev/vulnerability/CVE-2021-3393	WEB
	https://osv.dev/vulnerability/CVE-2021-3677	WEB
	https://osv.dev/vulnerability/CVE-2022-2625	WEB
	https://osv.dev/vulnerability/CVE-2022-41862	WEB
	https://osv.dev/vulnerability/CVE-2023-2454	WEB
	https://osv.dev/vulnerability/CVE-2023-2455	WEB
	https://osv.dev/vulnerability/CVE-2023-39418	WEB
	https://osv.dev/vulnerability/CVE-2023-5870	WEB
	https://osv.dev/vulnerability/CVE-2024-7348	WEB
	https://osv.dev/vulnerability/CVE-2025-51476	WEB
	https://osv.dev/vulnerability/CVE-2025-51477	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2017-15098	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2017-15099	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2017-7484	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2017-7485	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2017-7486	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2017-7546	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2017-7547	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2017-7548	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2018-1052	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2018-1058	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2018-16850	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2019-10129	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2019-10130	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2019-10208	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2019-10209	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2020-14349	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2020-14350	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2020-25694	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2020-25695	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2020-25696	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2021-20229	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2021-23214	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2021-32027	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2021-32028	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2021-32029	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2021-3393	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2021-3677	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2022-2625	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2022-41862	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2023-2454	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2023-2455	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2023-39418	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2023-5870	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2024-7348	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-51476	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-51477	WEB

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "CleanStart",
        "name": "postgresql"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.6.4-r0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "credits": [],
  "database_specific": {},
  "details": "Multiple security vulnerabilities affect the postgresql package. A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. See references for individual vulnerability details.",
  "id": "CLEANSTART-2026-FW42039",
  "modified": "2026-01-29T18:58:54Z",
  "published": "2026-01-30T17:19:56.954092Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-FW42039"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2017-15098"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2017-15099"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2017-7484"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2017-7485"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2017-7486"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2017-7546"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2017-7547"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2017-7548"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2018-1052"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2018-1058"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2018-16850"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2019-10129"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2019-10130"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2019-10208"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2019-10209"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2020-14349"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2020-14350"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2020-25694"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2020-25695"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2020-25696"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2021-20229"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2021-23214"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2021-32027"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2021-32028"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2021-32029"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2021-3393"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2021-3677"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2022-2625"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2022-41862"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2023-2454"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2023-2455"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2023-39418"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2023-5870"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2024-7348"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-51476"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-51477"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15098"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15099"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7484"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7485"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7486"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7546"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7547"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7548"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1052"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1058"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16850"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10129"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10130"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10208"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10209"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14349"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14350"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25694"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25695"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25696"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20229"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23214"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32027"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32028"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32029"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3393"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3677"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2625"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41862"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2454"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2455"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39418"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5870"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7348"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-51476"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-51477"
    }
  ],
  "related": [],
  "schema_version": "1.7.3",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT",
  "upstream": [
    "CVE-2017-15098",
    "CVE-2017-15099",
    "CVE-2017-7484",
    "CVE-2017-7485",
    "CVE-2017-7486",
    "CVE-2017-7546",
    "CVE-2017-7547",
    "CVE-2017-7548",
    "CVE-2018-1052",
    "CVE-2018-1058",
    "CVE-2018-16850",
    "CVE-2019-10129",
    "CVE-2019-10130",
    "CVE-2019-10208",
    "CVE-2019-10209",
    "CVE-2020-14349",
    "CVE-2020-14350",
    "CVE-2020-25694",
    "CVE-2020-25695",
    "CVE-2020-25696",
    "CVE-2021-20229",
    "CVE-2021-23214",
    "CVE-2021-32027",
    "CVE-2021-32028",
    "CVE-2021-32029",
    "CVE-2021-3393",
    "CVE-2021-3677",
    "CVE-2022-2625",
    "CVE-2022-41862",
    "CVE-2023-2454",
    "CVE-2023-2455",
    "CVE-2023-39418",
    "CVE-2023-5870",
    "CVE-2024-7348",
    "CVE-2025-51476",
    "CVE-2025-51477"
  ]
}

cleanstart-2026-hj04971

Vulnerability from cleanstart

Published

2026-01-30 17:21

Modified

2026-01-29 18:58

Summary

vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT

Details

Severity

9.8 (Critical)


                    
                      CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

URL

Type

	https://github.com/cleanstart-dev/cleanstart-secu…	ADVISORY
	https://osv.dev/vulnerability/CVE-2017-15098	WEB
	https://osv.dev/vulnerability/CVE-2017-15099	WEB
	https://osv.dev/vulnerability/CVE-2017-7484	WEB
	https://osv.dev/vulnerability/CVE-2017-7485	WEB
	https://osv.dev/vulnerability/CVE-2017-7486	WEB
	https://osv.dev/vulnerability/CVE-2017-7546	WEB
	https://osv.dev/vulnerability/CVE-2017-7547	WEB
	https://osv.dev/vulnerability/CVE-2017-7548	WEB
	https://osv.dev/vulnerability/CVE-2018-1052	WEB
	https://osv.dev/vulnerability/CVE-2018-1058	WEB
	https://osv.dev/vulnerability/CVE-2018-16850	WEB
	https://osv.dev/vulnerability/CVE-2019-10129	WEB
	https://osv.dev/vulnerability/CVE-2019-10130	WEB
	https://osv.dev/vulnerability/CVE-2019-10208	WEB
	https://osv.dev/vulnerability/CVE-2019-10209	WEB
	https://osv.dev/vulnerability/CVE-2020-14349	WEB
	https://osv.dev/vulnerability/CVE-2020-14350	WEB
	https://osv.dev/vulnerability/CVE-2020-25694	WEB
	https://osv.dev/vulnerability/CVE-2020-25695	WEB
	https://osv.dev/vulnerability/CVE-2020-25696	WEB
	https://osv.dev/vulnerability/CVE-2021-20229	WEB
	https://osv.dev/vulnerability/CVE-2021-23214	WEB
	https://osv.dev/vulnerability/CVE-2021-32027	WEB
	https://osv.dev/vulnerability/CVE-2021-32028	WEB
	https://osv.dev/vulnerability/CVE-2021-32029	WEB
	https://osv.dev/vulnerability/CVE-2021-3393	WEB
	https://osv.dev/vulnerability/CVE-2021-3677	WEB
	https://osv.dev/vulnerability/CVE-2022-2625	WEB
	https://osv.dev/vulnerability/CVE-2022-41862	WEB
	https://osv.dev/vulnerability/CVE-2023-2454	WEB
	https://osv.dev/vulnerability/CVE-2023-2455	WEB
	https://osv.dev/vulnerability/CVE-2023-39418	WEB
	https://osv.dev/vulnerability/CVE-2023-5870	WEB
	https://osv.dev/vulnerability/CVE-2024-7348	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2017-15098	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2017-15099	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2017-7484	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2017-7485	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2017-7486	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2017-7546	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2017-7547	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2017-7548	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2018-1052	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2018-1058	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2018-16850	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2019-10129	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2019-10130	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2019-10208	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2019-10209	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2020-14349	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2020-14350	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2020-25694	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2020-25695	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2020-25696	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2021-20229	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2021-23214	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2021-32027	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2021-32028	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2021-32029	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2021-3393	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2021-3677	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2022-2625	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2022-41862	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2023-2454	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2023-2455	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2023-39418	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2023-5870	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2024-7348	WEB

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "CleanStart",
        "name": "postgresql"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.6.4-r0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "credits": [],
  "database_specific": {},
  "details": "Multiple security vulnerabilities affect the postgresql package. A vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT. See references for individual vulnerability details.",
  "id": "CLEANSTART-2026-HJ04971",
  "modified": "2026-01-29T18:58:54Z",
  "published": "2026-01-30T17:21:56.808972Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-HJ04971"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2017-15098"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2017-15099"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2017-7484"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2017-7485"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2017-7486"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2017-7546"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2017-7547"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2017-7548"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2018-1052"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2018-1058"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2018-16850"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2019-10129"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2019-10130"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2019-10208"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2019-10209"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2020-14349"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2020-14350"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2020-25694"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2020-25695"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2020-25696"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2021-20229"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2021-23214"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2021-32027"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2021-32028"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2021-32029"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2021-3393"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2021-3677"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2022-2625"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2022-41862"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2023-2454"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2023-2455"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2023-39418"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2023-5870"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2024-7348"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15098"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15099"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7484"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7485"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7486"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7546"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7547"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7548"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1052"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1058"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-16850"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10129"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10130"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10208"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10209"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14349"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14350"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25694"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25695"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25696"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-20229"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-23214"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32027"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32028"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32029"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3393"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-3677"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-2625"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-41862"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2454"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2455"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-39418"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5870"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-7348"
    }
  ],
  "related": [],
  "schema_version": "1.7.3",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "vulnerability was found in PostgreSQL with the use of the MERGE command, which fails to test new rows against row security policies defined for UPDATE and SELECT",
  "upstream": [
    "CVE-2017-15098",
    "CVE-2017-15099",
    "CVE-2017-7484",
    "CVE-2017-7485",
    "CVE-2017-7486",
    "CVE-2017-7546",
    "CVE-2017-7547",
    "CVE-2017-7548",
    "CVE-2018-1052",
    "CVE-2018-1058",
    "CVE-2018-16850",
    "CVE-2019-10129",
    "CVE-2019-10130",
    "CVE-2019-10208",
    "CVE-2019-10209",
    "CVE-2020-14349",
    "CVE-2020-14350",
    "CVE-2020-25694",
    "CVE-2020-25695",
    "CVE-2020-25696",
    "CVE-2021-20229",
    "CVE-2021-23214",
    "CVE-2021-32027",
    "CVE-2021-32028",
    "CVE-2021-32029",
    "CVE-2021-3393",
    "CVE-2021-3677",
    "CVE-2022-2625",
    "CVE-2022-41862",
    "CVE-2023-2454",
    "CVE-2023-2455",
    "CVE-2023-39418",
    "CVE-2023-5870",
    "CVE-2024-7348"
  ]
}

CNVD-2020-64266

Vulnerability from cnvd - Published: 2020-11-18

Title

PostgreSQL代码问题漏洞

Description

PostgreSQL是PostgreSQL组织的一套自由的对象关系型数据库管理系统。该系统支持大部分SQL标准并且提供了许多其他特性，例如外键、触发器、视图等。 PostgreSQL 中存在代码问题漏洞。该漏洞源于网络系统或产品的代码开发过程中存在设计或实现不当的问题。目前没有详细漏洞细节提供。

Severity

中

Patch Name

PostgreSQL代码问题漏洞的补丁

Patch Description

PostgreSQL是PostgreSQL组织的一套自由的对象关系型数据库管理系统。该系统支持大部分SQL标准并且提供了许多其他特性，例如外键、触发器、视图等。 PostgreSQL 中存在代码问题漏洞。该漏洞源于网络系统或产品的代码开发过程中存在设计或实现不当的问题。目前没有详细漏洞细节提供。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://www.postgresql.org/about/news/2060/

Reference

https://access.redhat.com/security/cve/cve-2020-14349

Impacted products

Name
['Postgresql PostgreSQL <12.4', 'Postgresql PostgreSQL <11.9', 'Postgresql PostgreSQL <10.14']

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2020-14349",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2020-14349"
    }
  },
  "description": "PostgreSQL\u662fPostgreSQL\u7ec4\u7ec7\u7684\u4e00\u5957\u81ea\u7531\u7684\u5bf9\u8c61\u5173\u7cfb\u578b\u6570\u636e\u5e93\u7ba1\u7406\u7cfb\u7edf\u3002\u8be5\u7cfb\u7edf\u652f\u6301\u5927\u90e8\u5206SQL\u6807\u51c6\u5e76\u4e14\u63d0\u4f9b\u4e86\u8bb8\u591a\u5176\u4ed6\u7279\u6027\uff0c\u4f8b\u5982\u5916\u952e\u3001\u89e6\u53d1\u5668\u3001\u89c6\u56fe\u7b49\u3002\n\nPostgreSQL \u4e2d\u5b58\u5728\u4ee3\u7801\u95ee\u9898\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u7684\u4ee3\u7801\u5f00\u53d1\u8fc7\u7a0b\u4e2d\u5b58\u5728\u8bbe\u8ba1\u6216\u5b9e\u73b0\u4e0d\u5f53\u7684\u95ee\u9898\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://www.postgresql.org/about/news/2060/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2020-64266",
  "openTime": "2020-11-18",
  "patchDescription": "PostgreSQL\u662fPostgreSQL\u7ec4\u7ec7\u7684\u4e00\u5957\u81ea\u7531\u7684\u5bf9\u8c61\u5173\u7cfb\u578b\u6570\u636e\u5e93\u7ba1\u7406\u7cfb\u7edf\u3002\u8be5\u7cfb\u7edf\u652f\u6301\u5927\u90e8\u5206SQL\u6807\u51c6\u5e76\u4e14\u63d0\u4f9b\u4e86\u8bb8\u591a\u5176\u4ed6\u7279\u6027\uff0c\u4f8b\u5982\u5916\u952e\u3001\u89e6\u53d1\u5668\u3001\u89c6\u56fe\u7b49\u3002\r\n\r\nPostgreSQL \u4e2d\u5b58\u5728\u4ee3\u7801\u95ee\u9898\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7f51\u7edc\u7cfb\u7edf\u6216\u4ea7\u54c1\u7684\u4ee3\u7801\u5f00\u53d1\u8fc7\u7a0b\u4e2d\u5b58\u5728\u8bbe\u8ba1\u6216\u5b9e\u73b0\u4e0d\u5f53\u7684\u95ee\u9898\u3002\u76ee\u524d\u6ca1\u6709\u8be6\u7ec6\u6f0f\u6d1e\u7ec6\u8282\u63d0\u4f9b\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "PostgreSQL\u4ee3\u7801\u95ee\u9898\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Postgresql PostgreSQL \u003c12.4",
      "Postgresql PostgreSQL \u003c11.9",
      "Postgresql PostgreSQL \u003c10.14"
    ]
  },
  "referenceLink": "https://access.redhat.com/security/cve/cve-2020-14349",
  "serverity": "\u4e2d",
  "submitTime": "2020-08-17",
  "title": "PostgreSQL\u4ee3\u7801\u95ee\u9898\u6f0f\u6d1e"
}

FKIE_CVE-2020-14349

Vulnerability from fkie_nvd - Published: 2020-08-24 13:15 - Updated: 2024-11-21 05:03

Severity ?

7.1 (High) - CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
secalert@redhat.com	http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00044.html	Broken Link, Mailing List, Third Party Advisory
secalert@redhat.com	http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00049.html	Mailing List, Third Party Advisory
secalert@redhat.com	http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00050.html	Mailing List, Third Party Advisory
secalert@redhat.com	http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00003.html	Mailing List, Third Party Advisory
secalert@redhat.com	http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00008.html	Mailing List, Third Party Advisory
secalert@redhat.com	https://bugzilla.redhat.com/show_bug.cgi?id=1865744	Issue Tracking, Third Party Advisory
secalert@redhat.com	https://security.gentoo.org/glsa/202008-13	Third Party Advisory
secalert@redhat.com	https://security.netapp.com/advisory/ntap-20200918-0002/	Third Party Advisory
secalert@redhat.com	https://usn.ubuntu.com/4472-1/	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00044.html	Broken Link, Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00049.html	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00050.html	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00003.html	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00008.html	Mailing List, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://bugzilla.redhat.com/show_bug.cgi?id=1865744	Issue Tracking, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://security.gentoo.org/glsa/202008-13	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://security.netapp.com/advisory/ntap-20200918-0002/	Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://usn.ubuntu.com/4472-1/	Third Party Advisory

Impacted products

Vendor	Product	Version
postgresql	postgresql	*
postgresql	postgresql	*
postgresql	postgresql	*
opensuse	leap	15.1
opensuse	leap	15.2

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "66E3FC4A-00FF-4006-A9E6-7B9ED8EB3F2E",
              "versionEndExcluding": "10.14",
              "versionStartIncluding": "10.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B74FDCC8-2D95-45FB-B8DE-2C1AAA71D446",
              "versionEndExcluding": "11.9",
              "versionStartIncluding": "11.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5300CA7F-5BB7-40BA-9237-C4865C1373CF",
              "versionEndExcluding": "12.4",
              "versionStartIncluding": "12.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "B009C22E-30A4-4288-BCF6-C3E81DEAF45A",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "It was found that PostgreSQL versions before 12.4, before 11.9 and before 10.14 did not properly sanitize the search_path during logical replication. An authenticated attacker could use this flaw in an attack similar to CVE-2018-1058, in order to execute arbitrary SQL command in the context of the user used for replication."
    },
    {
      "lang": "es",
      "value": "Se detect\u00f3 que las versiones de PostgreSQL anteriores a 12.4, anteriores a 11.9 y anteriores a 10.14, no saneban apropiadamente la funci\u00f3n search_path durante la replicaci\u00f3n l\u00f3gica. Un atacante autenticado podr\u00eda usar este fallo en un ataque similar al CVE-2018-1058, para ejecutar un comando SQL arbitrario en el contexto del usuario usado para la replicaci\u00f3n."
    }
  ],
  "id": "CVE-2020-14349",
  "lastModified": "2024-11-21T05:03:04.083",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "HIGH",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 4.6,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2020-08-24T13:15:10.903",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Broken Link",
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00044.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00049.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00050.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00003.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00008.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1865744"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.gentoo.org/glsa/202008-13"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20200918-0002/"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://usn.ubuntu.com/4472-1/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Broken Link",
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00044.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00049.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00050.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00003.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List",
        "Third Party Advisory"
      ],
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00008.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1865744"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.gentoo.org/glsa/202008-13"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://security.netapp.com/advisory/ntap-20200918-0002/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://usn.ubuntu.com/4472-1/"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        },
        {
          "lang": "en",
          "value": "CWE-427"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-2783-H34H-Q54Q

Vulnerability from github – Published: 2022-05-24 17:26 – Updated: 2023-01-24 03:30

Details

Severity ?

7.1 (High)


                  
                    CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2020-14349"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-89"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-08-24T13:15:00Z",
    "severity": "HIGH"
  },
  "details": "It was found that PostgreSQL versions before 12.4, before 11.9 and before 10.14 did not properly sanitize the search_path during logical replication. An authenticated attacker could use this flaw in an attack similar to CVE-2018-1058, in order to execute arbitrary SQL command in the context of the user used for replication.",
  "id": "GHSA-2783-h34h-q54q",
  "modified": "2023-01-24T03:30:18Z",
  "published": "2022-05-24T17:26:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-14349"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1865744"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202008-13"
    },
    {
      "type": "WEB",
      "url": "https://security.netapp.com/advisory/ntap-20200918-0002"
    },
    {
      "type": "WEB",
      "url": "https://usn.ubuntu.com/4472-1"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00044.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00049.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00050.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00003.html"
    },
    {
      "type": "WEB",
      "url": "http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00008.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2020-14349 (GCVE-0-2020-14349)

Solution

Solution

Vulnerability from osv_almalinux

Vulnerability from bitnami_vulndb

Vulnerability from cleanstart

Vulnerability from cleanstart

Tags

Sightings

Nomenclature