PostgreSQL Search Path Misconfiguration Vulnerability in Extensions
CVE-2020-14350

7.3HIGH

Key Information:

Vendor: Postgresql
Status: Postgresql
Vendor: CVE Published:; 24 August 2020

What is CVE-2020-14350?

Certain PostgreSQL extensions contain a misconfiguration within their installation scripts that fails to use the search_path securely. This flaw permits an attacker with sufficient privileges to manipulate an administrator into inadvertently executing a crafted script during the installation or update process. The affected versions span PostgreSQL 12.4, 11.9, 10.14, 9.6.19, and 9.5.23 and require immediate attention to mitigate potential exploitation.

Affected Version(s)

PostgreSQL PostgreSQL versions before 12.4, before 11.9, before 10.14, before 9.6.19, and before 9.5.23

References

http://lists.opensuse.org/opensuse-security-announce/2020...

vendor-advisoryx_refsource_SUSE

http://lists.opensuse.org/opensuse-security-announce/2020...

vendor-advisoryx_refsource_SUSE

http://lists.opensuse.org/opensuse-security-announce/2020...

vendor-advisoryx_refsource_SUSE

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 24, 2020
Vulnerability Reserved
Jun 17, 2020

Postgresql

What is CVE-2020-14350?

Affected Version(s)

References

CVSS V3.1

Timeline