Local Code Execution Vulnerability in PostgreSQL by EnterpriseDB
CVE-2019-10128

7.8HIGH

Key Information:

Vendor: Postgresql
Status: Postgresql
Vendor: CVE Published:; 19 March 2021

What is CVE-2019-10128?

A security vulnerability exists in PostgreSQL versions prior to 11.3, which results from inadequate access control on the binary and data directories in the Windows installer provided by EnterpriseDB. This improper configuration permits local attackers to read sensitive files within the data directory, thus bypassing the read access restrictions enforced by the database. Moreover, in certain configurations, an attacker with an unprivileged Windows account can exploit this flaw to execute arbitrary code under the context of the PostgreSQL service, posing significant risks to system integrity.

Affected Version(s)

postgresql 11.x prior to 11.3

References

https://www.postgresql.org/about/news/1939/

x_refsource_MISC

https://bugzilla.redhat.com/show_bug.cgi?id=1707102

x_refsource_MISC

https://security.netapp.com/advisory/ntap-20210430-0004/

x_refsource_CONFIRM

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 19, 2021
Vulnerability Reserved
Mar 27, 2019

Postgresql

What is CVE-2019-10128?

Affected Version(s)

References

CVSS V3.1

Timeline