CVSS: 8.8EPSS: 0%CPEs: 6EXPL: 0CVE-2019-10127
https://notcve.org/view.php?id=CVE-2019-10127
19 Mar 2021 — A vulnerability was found in postgresql versions 11.x prior to 11.3. The Windows installer for BigSQL-supplied PostgreSQL does not lock down the ACL of the binary installation directory or the ACL of the data directory; it keeps the inherited ACL. In the default configuration, an attacker having both an unprivileged Windows account and an unprivileged PostgreSQL account can cause the PostgreSQL service account to execute arbitrary code. An attacker having only the unprivileged Windows account can read arbit... • https://bugzilla.redhat.com/show_bug.cgi?id=1707098 • CWE-284: Improper Access Control •
CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0CVE-2021-20229 – Gentoo Linux Security Advisory 202105-32
https://notcve.org/view.php?id=CVE-2021-20229
23 Feb 2021 — A flaw was found in PostgreSQL in versions before 13.2. This flaw allows a user with SELECT privilege on one column to craft a special query that returns all columns of the table. The highest threat from this vulnerability is to confidentiality. Se ha encontrado un fallo en PostgreSQL en las versiones anteriores a la 13.2. Este fallo permite a un usuario con privilegio SELECT en una columna elaborar una consulta especial que devuelva todas las columnas de la tabla. • https://bugzilla.redhat.com/show_bug.cgi?id=1925296 • CWE-863: Incorrect Authorization •
CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0CVE-2021-3393 – postgresql: Partition constraint violation errors leak values of denied columns
https://notcve.org/view.php?id=CVE-2021-3393
15 Feb 2021 — An information leak was discovered in postgresql in versions before 13.2, before 12.6 and before 11.11. A user having UPDATE permission but not SELECT permission to a particular column could craft queries which, under some circumstances, might disclose values from that column in error messages. An attacker could use this flaw to obtain information stored in a column they are allowed to write but not read. Se detectó un filtrado de información en postgresql en versiones anteriores a 13.2, versiones anteriore... • https://bugzilla.redhat.com/show_bug.cgi?id=1924005 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 7.6EPSS: 0%CPEs: 7EXPL: 0CVE-2020-25696 – postgresql: psql's \gset allows overwriting specially treated variables
https://notcve.org/view.php?id=CVE-2020-25696
17 Nov 2020 — A flaw was found in the psql interactive terminal of PostgreSQL in versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If an interactive psql session uses \gset when querying a compromised server, the attacker can execute arbitrary code as the operating system account running psql. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. Se encontró un fallo en el terminal interactivo psql de PostgreSQL en... • https://bugzilla.redhat.com/show_bug.cgi?id=1894430 • CWE-183: Permissive List of Allowed Inputs CWE-270: Privilege Context Switching Error CWE-697: Incorrect Comparison •
CVSS: 8.8EPSS: 23%CPEs: 7EXPL: 0CVE-2020-25695 – postgresql: Multiple features escape "security restricted operation" sandbox
https://notcve.org/view.php?id=CVE-2020-25695
16 Nov 2020 — A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. An attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL functions under the identity of a superuser. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. Se encontró un fallo en PostgreSQL versiones anteriores a 13.1, anteriores a 12.5, anteriores a 11.10, anteriores... • https://bugzilla.redhat.com/show_bug.cgi?id=1894425 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.1EPSS: 0%CPEs: 7EXPL: 0CVE-2020-25694 – postgresql: Reconnection can downgrade connection security settings
https://notcve.org/view.php?id=CVE-2020-25694
16 Nov 2020 — A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If a client application that creates additional database connections only reuses the basic connection parameters while dropping security-relevant parameters, an opportunity for a man-in-the-middle attack, or the ability to observe clear-text transmissions, could exist. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.... • https://bugzilla.redhat.com/show_bug.cgi?id=1894423 • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVSS: 7.3EPSS: 0%CPEs: 5EXPL: 0CVE-2020-10733
https://notcve.org/view.php?id=CVE-2020-10733
16 Sep 2020 — The Windows installer for PostgreSQL 9.5 - 12 invokes system-provided executables that do not have fully-qualified paths. Executables in the directory where the installer loads or the current working directory take precedence over the intended executables. An attacker having permission to add files into one of those directories can use this to execute arbitrary code with the installer's administrative rights. El instalador de Windows para PostgreSQL versiones 9.5 - 12, invoca los ejecutables proporcionados ... • https://security.netapp.com/advisory/ntap-20201001-0006 • CWE-426: Untrusted Search Path •
CVSS: 7.3EPSS: 0%CPEs: 11EXPL: 0CVE-2020-14350 – postgresql: Uncontrolled search path element in CREATE EXTENSION
https://notcve.org/view.php?id=CVE-2020-14350
24 Aug 2020 — It was found that some PostgreSQL extensions did not use search_path safely in their installation script. An attacker with sufficient privileges could use this flaw to trick an administrator into executing a specially crafted script, during the installation or update of such extension. This affects PostgreSQL versions before 12.4, before 11.9, before 10.14, before 9.6.19, and before 9.5.23. Se detectó que algunas extensiones de PostgreSQL no usaban la función search_path de forma segura en su script de inst... • http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00043.html • CWE-20: Improper Input Validation CWE-426: Untrusted Search Path •
CVSS: 7.1EPSS: 0%CPEs: 5EXPL: 0CVE-2020-14349 – postgresql: Uncontrolled search path element in logical replication
https://notcve.org/view.php?id=CVE-2020-14349
24 Aug 2020 — It was found that PostgreSQL versions before 12.4, before 11.9 and before 10.14 did not properly sanitize the search_path during logical replication. An authenticated attacker could use this flaw in an attack similar to CVE-2018-1058, in order to execute arbitrary SQL command in the context of the user used for replication. Se detectó que las versiones de PostgreSQL anteriores a 12.4, anteriores a 11.9 y anteriores a 10.14, no saneban apropiadamente la función search_path durante la replicación lógica. Un a... • http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00044.html • CWE-20: Improper Input Validation CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-427: Uncontrolled Search Path Element •
CVSS: 7.7EPSS: 2%CPEs: 6EXPL: 0CVE-2020-13692 – postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML
https://notcve.org/view.php?id=CVE-2020-13692
04 Jun 2020 — PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE. PostgreSQL JDBC Driver (también se conoce como PgJDBC) versiones anteriores a 42.2.13, permite un ataque de tipo XXE A flaw was found in PostgreSQL JDBC in versions prior to 42.2.13. An XML External Entity (XXE) weakness was found in PostgreSQL JDBC. The highest threat from this vulnerability is to data confidentiality and system availability. Red Hat Decision Manager is an open source decision management platform that combines business rules ma... • https://github.com/pgjdbc/pgjdbc/commit/14b62aca4764d496813f55a43d050b017e01eb65 • CWE-611: Improper Restriction of XML External Entity Reference •