CVE-2020-25696 – postgresql: psql's \gset allows overwriting specially treated variables
https://notcve.org/view.php?id=CVE-2020-25696
A flaw was found in the psql interactive terminal of PostgreSQL in versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If an interactive psql session uses \gset when querying a compromised server, the attacker can execute arbitrary code as the operating system account running psql. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. Se encontró un fallo en el terminal interactivo psql de PostgreSQL en versiones anteriores a 13.1, anteriores a 12.5, anteriores a 11.10, anteriores a 10.15, anteriores a 9.6.20 y anteriores a 9.5.24. Si una sesión psql interactiva utiliza \gset al consultar un servidor comprometido, el atacante puede ejecutar código arbitrario como la cuenta del sistema operativo que ejecuta psql. • https://bugzilla.redhat.com/show_bug.cgi?id=1894430 https://lists.debian.org/debian-lts-announce/2020/12/msg00005.html https://security.gentoo.org/glsa/202012-07 https://www.postgresql.org/about/news/postgresql-131-125-1110-1015-9620-and-9524-released-2111 https://access.redhat.com/security/cve/CVE-2020-25696 • CWE-183: Permissive List of Allowed Inputs CWE-270: Privilege Context Switching Error CWE-697: Incorrect Comparison •
CVE-2020-25695 – postgresql: Multiple features escape "security restricted operation" sandbox
https://notcve.org/view.php?id=CVE-2020-25695
A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. An attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL functions under the identity of a superuser. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. Se encontró un fallo en PostgreSQL versiones anteriores a 13.1, anteriores a 12.5, anteriores a 11.10, anteriores a 10.15, anteriores a 9.6.20 y anteriores a 9.5.24. Un atacante que tenga permiso para crear objetos no temporales en al menos un esquema puede ejecutar funciones SQL arbitrarias bajo la identidad de un superusuario. • https://bugzilla.redhat.com/show_bug.cgi?id=1894425 https://lists.debian.org/debian-lts-announce/2020/12/msg00005.html https://security.gentoo.org/glsa/202012-07 https://security.netapp.com/advisory/ntap-20201202-0003 https://www.postgresql.org/support/security https://access.redhat.com/security/cve/CVE-2020-25695 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2020-25694 – postgresql: Reconnection can downgrade connection security settings
https://notcve.org/view.php?id=CVE-2020-25694
A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If a client application that creates additional database connections only reuses the basic connection parameters while dropping security-relevant parameters, an opportunity for a man-in-the-middle attack, or the ability to observe clear-text transmissions, could exist. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. Se encontró un fallo en PostgreSQL versiones anteriores a 13.1, anteriores a 12.5, anteriores a 11.10, anteriores a 10.15, anteriores a 9.6.20 y anteriores a 9.5.24. Si una aplicación cliente que crea conexiones de base de datos adicionales solo reutiliza los parámetros de conexión básicos mientras elimina los parámetros relevantes para la seguridad, una oportunidad para un ataque de tipo man-in-the-middle, o la capacidad de observar transmisiones de texto sin cifrar podrían existir. • https://bugzilla.redhat.com/show_bug.cgi?id=1894423 https://lists.debian.org/debian-lts-announce/2020/12/msg00005.html https://security.gentoo.org/glsa/202012-07 https://security.netapp.com/advisory/ntap-20201202-0003 https://www.postgresql.org/support/security https://access.redhat.com/security/cve/CVE-2020-25694 • CWE-327: Use of a Broken or Risky Cryptographic Algorithm •
CVE-2020-10733
https://notcve.org/view.php?id=CVE-2020-10733
The Windows installer for PostgreSQL 9.5 - 12 invokes system-provided executables that do not have fully-qualified paths. Executables in the directory where the installer loads or the current working directory take precedence over the intended executables. An attacker having permission to add files into one of those directories can use this to execute arbitrary code with the installer's administrative rights. El instalador de Windows para PostgreSQL versiones 9.5 - 12, invoca los ejecutables proporcionados por el sistema que no presentan rutas completamente calificadas. Los ejecutables en el directorio donde se carga el instalador o el directorio de trabajo actual presentan prioridad sobre los ejecutables previstos. • https://security.netapp.com/advisory/ntap-20201001-0006 https://www.postgresql.org/about/news/2038 https://www.postgresql.org/support/security/11 • CWE-426: Untrusted Search Path •
CVE-2020-14350 – postgresql: Uncontrolled search path element in CREATE EXTENSION
https://notcve.org/view.php?id=CVE-2020-14350
It was found that some PostgreSQL extensions did not use search_path safely in their installation script. An attacker with sufficient privileges could use this flaw to trick an administrator into executing a specially crafted script, during the installation or update of such extension. This affects PostgreSQL versions before 12.4, before 11.9, before 10.14, before 9.6.19, and before 9.5.23. Se detectó que algunas extensiones de PostgreSQL no usaban la función search_path de forma segura en su script de instalación. Un atacante con suficientes privilegios podría usar este fallo para engañar a un administrador para ejecutar un script especialmente diseñado durante la instalación o actualización de dicha extensión. • http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00043.html http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00044.html http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00049.html http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00050.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00003.html http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00008.html https://bugzilla.redhat.com/show_bug.cgi?id=1865746 https: • CWE-20: Improper Input Validation CWE-426: Untrusted Search Path •