Arbitrary Code Execution in PostgreSQL Installer by PostgreSQL
CVE-2020-10733

7.3HIGH

Key Information:

Vendor

Postgresql
Status
Postgresql
Vendor
CVE Published:
16 September 2020

What is CVE-2020-10733?

The PostgreSQL installer for versions 9.5 through 12 has a vulnerability that allows an attacker, with proper permissions, to place malicious executables in directories searched by the installer. Due to the lack of fully-qualified paths when invoking system-provided executables, this allows those malicious executables to take precedence, potentially leading to execution of arbitrary code with administrative privileges during the installation process.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

PostgreSQL 9.5, 9.6, 10, 11, 12

References

https://www.postgresql.org/support/security/11/
x_refsource_MISC
https://www.postgresql.org/about/news/2038/
x_refsource_MISC
https://security.netapp.com/advisory/ntap-20201001-0006/
x_refsource_CONFIRM

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.