Page 2 of 28 results (0.011 seconds)

CVSS: 8.8EPSS: 2%CPEs: 7EXPL: 0

A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. An attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL functions under the identity of a superuser. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. Se encontró un fallo en PostgreSQL versiones anteriores a 13.1, anteriores a 12.5, anteriores a 11.10, anteriores a 10.15, anteriores a 9.6.20 y anteriores a 9.5.24. Un atacante que tenga permiso para crear objetos no temporales en al menos un esquema puede ejecutar funciones SQL arbitrarias bajo la identidad de un superusuario. • https://bugzilla.redhat.com/show_bug.cgi?id=1894425 https://lists.debian.org/debian-lts-announce/2020/12/msg00005.html https://security.gentoo.org/glsa/202012-07 https://security.netapp.com/advisory/ntap-20201202-0003 https://www.postgresql.org/support/security https://access.redhat.com/security/cve/CVE-2020-25695 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 8.1EPSS: 0%CPEs: 7EXPL: 0

A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If a client application that creates additional database connections only reuses the basic connection parameters while dropping security-relevant parameters, an opportunity for a man-in-the-middle attack, or the ability to observe clear-text transmissions, could exist. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. Se encontró un fallo en PostgreSQL versiones anteriores a 13.1, anteriores a 12.5, anteriores a 11.10, anteriores a 10.15, anteriores a 9.6.20 y anteriores a 9.5.24. Si una aplicación cliente que crea conexiones de base de datos adicionales solo reutiliza los parámetros de conexión básicos mientras elimina los parámetros relevantes para la seguridad, una oportunidad para un ataque de tipo man-in-the-middle, o la capacidad de observar transmisiones de texto sin cifrar podrían existir. • https://bugzilla.redhat.com/show_bug.cgi?id=1894423 https://lists.debian.org/debian-lts-announce/2020/12/msg00005.html https://security.gentoo.org/glsa/202012-07 https://security.netapp.com/advisory/ntap-20201202-0003 https://www.postgresql.org/support/security https://access.redhat.com/security/cve/CVE-2020-25694 • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •

CVSS: 7.3EPSS: 0%CPEs: 5EXPL: 0

The Windows installer for PostgreSQL 9.5 - 12 invokes system-provided executables that do not have fully-qualified paths. Executables in the directory where the installer loads or the current working directory take precedence over the intended executables. An attacker having permission to add files into one of those directories can use this to execute arbitrary code with the installer's administrative rights. El instalador de Windows para PostgreSQL versiones 9.5 - 12, invoca los ejecutables proporcionados por el sistema que no presentan rutas completamente calificadas. Los ejecutables en el directorio donde se carga el instalador o el directorio de trabajo actual presentan prioridad sobre los ejecutables previstos. • https://security.netapp.com/advisory/ntap-20201001-0006 https://www.postgresql.org/about/news/2038 https://www.postgresql.org/support/security/11 • CWE-426: Untrusted Search Path •

CVSS: 7.3EPSS: 0%CPEs: 11EXPL: 0

It was found that some PostgreSQL extensions did not use search_path safely in their installation script. An attacker with sufficient privileges could use this flaw to trick an administrator into executing a specially crafted script, during the installation or update of such extension. This affects PostgreSQL versions before 12.4, before 11.9, before 10.14, before 9.6.19, and before 9.5.23. Se detectó que algunas extensiones de PostgreSQL no usaban la función search_path de forma segura en su script de instalación. Un atacante con suficientes privilegios podría usar este fallo para engañar a un administrador para ejecutar un script especialmente diseñado durante la instalación o actualización de dicha extensión. • http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00043.html http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00044.html http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00049.html http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00050.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00003.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00008.html https://bugzilla.redhat.com/show_bug.cgi?id=1865746 https: • CWE-20: Improper Input Validation CWE-426: Untrusted Search Path •

CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 0

Postgresql Windows installer before versions 11.5, 10.10, 9.6.15, 9.5.19, 9.4.24 is vulnerable via bundled OpenSSL executing code from unprotected directory. El instalador de Postgresql Windows anterior a las versiones 11.5, 10.10, 9.6.15, 9.5.19 y 9.4.24, es vulnerable por medio del código de ejecución de OpenSSL integrado desde un directorio desprotegido • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10211 https://www.postgresql.org/about/news/1960 • CWE-94: Improper Control of Generation of Code ('Code Injection') •