Authorization Flaw in PostgreSQL Affecting Multiple Versions
CVE-2020-1720

3.1LOW

Key Information:

Vendor: Red Hat
Status: Postgresql
Vendor: CVE Published:; 17 March 2020

What is CVE-2020-1720?

A flaw exists within PostgreSQL's handling of the 'ALTER ... DEPENDS ON EXTENSION' command, where sub-commands fail to conduct proper authorization checks. This oversight allows an authenticated attacker, under specific configurations, to potentially execute drop commands on critical database objects such as functions and triggers. The result could lead to significant database corruption, affecting the integrity and availability of stored data. Affected versions include PostgreSQL versions prior to 12.2, 11.7, 10.12, and 9.6.17, necessitating immediate attention to mitigate associated risks.

Affected Version(s)

postgresql 12.2

postgresql 11.7

postgresql 10.12

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1720

x_refsource_CONFIRM

https://www.postgresql.org/about/news/2011/

x_refsource_MISC

http://lists.opensuse.org/opensuse-security-announce/2020...

vendor-advisoryx_refsource_SUSE

CVSS V3.1

Score:

3.1

Severity:

LOW

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 17, 2020
Vulnerability Reserved
Nov 27, 2019

Red Hat

What is CVE-2020-1720?

Affected Version(s)

References

CVSS V3.1

Timeline