CVSS: 7.6EPSS: 0%CPEs: 7EXPL: 0CVE-2020-25696 – postgresql: psql's \gset allows overwriting specially treated variables
https://notcve.org/view.php?id=CVE-2020-25696
17 Nov 2020 — A flaw was found in the psql interactive terminal of PostgreSQL in versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If an interactive psql session uses \gset when querying a compromised server, the attacker can execute arbitrary code as the operating system account running psql. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. Se encontró un fallo en el terminal interactivo psql de PostgreSQL en... • https://bugzilla.redhat.com/show_bug.cgi?id=1894430 • CWE-183: Permissive List of Allowed Inputs CWE-270: Privilege Context Switching Error CWE-697: Incorrect Comparison •
CVSS: 8.8EPSS: 23%CPEs: 7EXPL: 0CVE-2020-25695 – postgresql: Multiple features escape "security restricted operation" sandbox
https://notcve.org/view.php?id=CVE-2020-25695
16 Nov 2020 — A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. An attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL functions under the identity of a superuser. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. Se encontró un fallo en PostgreSQL versiones anteriores a 13.1, anteriores a 12.5, anteriores a 11.10, anteriores... • https://bugzilla.redhat.com/show_bug.cgi?id=1894425 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.1EPSS: 0%CPEs: 7EXPL: 0CVE-2020-25694 – postgresql: Reconnection can downgrade connection security settings
https://notcve.org/view.php?id=CVE-2020-25694
16 Nov 2020 — A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If a client application that creates additional database connections only reuses the basic connection parameters while dropping security-relevant parameters, an opportunity for a man-in-the-middle attack, or the ability to observe clear-text transmissions, could exist. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.... • https://bugzilla.redhat.com/show_bug.cgi?id=1894423 • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •