Authorization Flaw in PostgreSQL Affecting Multiple Versions
CVE-2020-1720

3.1LOW

Key Information:

Vendor
Red Hat
Status
Postgresql
Vendor
CVE Published:
17 March 2020

Summary

A flaw exists within PostgreSQL's handling of the 'ALTER ... DEPENDS ON EXTENSION' command, where sub-commands fail to conduct proper authorization checks. This oversight allows an authenticated attacker, under specific configurations, to potentially execute drop commands on critical database objects such as functions and triggers. The result could lead to significant database corruption, affecting the integrity and availability of stored data. Affected versions include PostgreSQL versions prior to 12.2, 11.7, 10.12, and 9.6.17, necessitating immediate attention to mitigate associated risks.

Affected Version(s)

postgresql 12.2

postgresql 11.7

postgresql 10.12

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1720
x_refsource_CONFIRM
https://www.postgresql.org/about/news/2011/
x_refsource_MISC
http://lists.opensuse.org/opensuse-security-announce/2020...
vendor-advisoryx_refsource_SUSE

CVSS V3.1

Score:
3.1
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.