CVSS: 7.7EPSS: 1%CPEs: 6EXPL: 0CVE-2020-13692 – postgresql-jdbc: XML external entity (XXE) vulnerability in PgSQLXML
https://notcve.org/view.php?id=CVE-2020-13692
PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE. PostgreSQL JDBC Driver (también se conoce como PgJDBC) versiones anteriores a 42.2.13, permite un ataque de tipo XXE A flaw was found in PostgreSQL JDBC in versions prior to 42.2.13. An XML External Entity (XXE) weakness was found in PostgreSQL JDBC. The highest threat from this vulnerability is to data confidentiality and system availability. • https://github.com/pgjdbc/pgjdbc/commit/14b62aca4764d496813f55a43d050b017e01eb65 https://jdbc.postgresql.org/documentation/changelog.html#version_42.2.13 https://lists.apache.org/thread.html/r00bcc6b2da972e0d6332a4ebc7807e17305d8b8e7fb2ae63d2a3cbfb%40%3Ccommits.camel.apache.org%3E https://lists.apache.org/thread.html/r01ae1b3d981cf2e563e9b5b0a6ea54fb3cac8e9a0512ee5269e3420e%40%3Ccommits.camel.apache.org%3E https://lists.apache.org/thread.html/r0478a1aa9ae0dbd79d8f7b38d0d93fa933ac232e2b430b6f31a103c0%40%3Ccommits.camel.apache.org%3E https://lists.apache.org/thread.html/ • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 6.5EPSS: 0%CPEs: 7EXPL: 0CVE-2020-1720 – postgresql: ALTER ... DEPENDS ON EXTENSION is missing authorization checks
https://notcve.org/view.php?id=CVE-2020-1720
A flaw was found in PostgreSQL's "ALTER ... DEPENDS ON EXTENSION", where sub-commands did not perform authorization checks. An authenticated attacker could use this flaw in certain configurations to perform drop objects such as function, triggers, et al., leading to database corruption. This issue affects PostgreSQL versions before 12.2, before 11.7, before 10.12 and before 9.6.17. Se detectó un fallo en "ALTER ... • http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00043.html https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1720 https://www.postgresql.org/about/news/2011 https://access.redhat.com/security/cve/CVE-2020-1720 https://bugzilla.redhat.com/show_bug.cgi?id=1798852 • CWE-285: Improper Authorization CWE-862: Missing Authorization •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 1CVE-2019-3466
https://notcve.org/view.php?id=CVE-2019-3466
The pg_ctlcluster script in postgresql-common in versions prior to 210 didn't drop privileges when creating socket/statistics temporary directories, which could result in local privilege escalation. El script pg_ctlcluster en postgresql-common en versiones anteriores a 210, no eliminó los privilegios cuando se crean directorios temporales socket/statistics, lo que podría resultar en una escalada de privilegios local. • https://blog.mirch.io/2019/11/15/cve-2019-3466-debian-ubuntu-pg_ctlcluster-privilege-escalation https://usn.ubuntu.com/4194-2 • CWE-269: Improper Privilege Management •
CVSS: 9.8EPSS: 0%CPEs: 6EXPL: 0CVE-2019-10211
https://notcve.org/view.php?id=CVE-2019-10211
Postgresql Windows installer before versions 11.5, 10.10, 9.6.15, 9.5.19, 9.4.24 is vulnerable via bundled OpenSSL executing code from unprotected directory. El instalador de Postgresql Windows anterior a las versiones 11.5, 10.10, 9.6.15, 9.5.19 y 9.4.24, es vulnerable por medio del código de ejecución de OpenSSL integrado desde un directorio desprotegido • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10211 https://www.postgresql.org/about/news/1960 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.0EPSS: 0%CPEs: 6EXPL: 0CVE-2019-10210
https://notcve.org/view.php?id=CVE-2019-10210
Postgresql Windows installer before versions 11.5, 10.10, 9.6.15, 9.5.19, 9.4.24 is vulnerable via superuser writing password to unprotected temporary file. El instalador de Postgresql Windows anterior a las versiones 11.5, 10.10, 9.6.15, 9.5.19 y 9.4.24, es vulnerable por medio de un superusuario al escribir una contraseña en un archivo temporal desprotegido. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10210 https://www.postgresql.org/about/news/1960 • CWE-522: Insufficiently Protected Credentials •