CVSS: 6.5EPSS: 0%CPEs: 7EXPL: 0CVE-2020-1720 – postgresql: ALTER ... DEPENDS ON EXTENSION is missing authorization checks
https://notcve.org/view.php?id=CVE-2020-1720
A flaw was found in PostgreSQL's "ALTER ... DEPENDS ON EXTENSION", where sub-commands did not perform authorization checks. An authenticated attacker could use this flaw in certain configurations to perform drop objects such as function, triggers, et al., leading to database corruption. This issue affects PostgreSQL versions before 12.2, before 11.7, before 10.12 and before 9.6.17. Se detectó un fallo en "ALTER ... • http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00043.html https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1720 https://www.postgresql.org/about/news/2011 https://access.redhat.com/security/cve/CVE-2020-1720 https://bugzilla.redhat.com/show_bug.cgi?id=1798852 • CWE-285: Improper Authorization CWE-862: Missing Authorization •
CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 0CVE-2019-10211
https://notcve.org/view.php?id=CVE-2019-10211
Postgresql Windows installer before versions 11.5, 10.10, 9.6.15, 9.5.19, 9.4.24 is vulnerable via bundled OpenSSL executing code from unprotected directory. El instalador de Postgresql Windows anterior a las versiones 11.5, 10.10, 9.6.15, 9.5.19 y 9.4.24, es vulnerable por medio del código de ejecución de OpenSSL integrado desde un directorio desprotegido • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10211 https://www.postgresql.org/about/news/1960 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.0EPSS: 0%CPEs: 6EXPL: 0CVE-2019-10210
https://notcve.org/view.php?id=CVE-2019-10210
Postgresql Windows installer before versions 11.5, 10.10, 9.6.15, 9.5.19, 9.4.24 is vulnerable via superuser writing password to unprotected temporary file. El instalador de Postgresql Windows anterior a las versiones 11.5, 10.10, 9.6.15, 9.5.19 y 9.4.24, es vulnerable por medio de un superusuario al escribir una contraseña en un archivo temporal desprotegido. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10210 https://www.postgresql.org/about/news/1960 • CWE-522: Insufficiently Protected Credentials •
CVSS: 3.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-10209
https://notcve.org/view.php?id=CVE-2019-10209
Postgresql, versions 11.x before 11.5, is vulnerable to a memory disclosure in cross-type comparison for hashed subplan. Postgresql, versiones 11.x anteriores a 11.5, es vulnerable a una divulgación de memoria en comparación de tipo cruzada para un subplan de hash. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10209 https://www.postgresql.org/about/news/1960 • CWE-125: Out-of-bounds Read CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 8.8EPSS: 0%CPEs: 5EXPL: 0CVE-2019-10208 – postgresql: TYPE in pg_temp executes arbitrary SQL during SECURITY DEFINER execution
https://notcve.org/view.php?id=CVE-2019-10208
A flaw was discovered in postgresql versions 9.4.x before 9.4.24, 9.5.x before 9.5.19, 9.6.x before 9.6.15, 10.x before 10.10 and 11.x before 11.5 where arbitrary SQL statements can be executed given a suitable SECURITY DEFINER function. An attacker, with EXECUTE permission on the function, can execute arbitrary SQL as the owner of the function. Se descubrió un fallo en postgresql versiones 9.4.x en versiones anteriores a la 9.4.24, versiones 9.5.x en versiones anteriores a la 9.5.19, versiones 9.6.x en versiones anteriores a la 9.6.15, versiones 10.x en versiones anteriores a la 10.10 y versiones 11.x en versiones anteriores a la 11.5 donde pueden ser ejecutadas sentencias SQL arbitrarias dada una función SECURITY DEFINER adecuada. Un atacante, con permiso EXECUTE sobre la función, puede ejecutar código SQL arbitrario como propietario de la función. A flaw was discovered in postgresql where arbitrary SQL statements can be executed given a suitable SECURITY DEFINER function. • http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00043.html https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10208 https://www.postgresql.org/about/news/1960 https://access.redhat.com/security/cve/CVE-2019-10208 https://bugzilla.redhat.com/show_bug.cgi?id=1734416 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •