CVE-2020-1720

3.1LOW

Key Information:

Vendor
Red Hat
Status
Postgresql
Vendor
CVE Published:
17 March 2020

Summary

A flaw was found in PostgreSQL's "ALTER ... DEPENDS ON EXTENSION", where sub-commands did not perform authorization checks. An authenticated attacker could use this flaw in certain configurations to perform drop objects such as function, triggers, et al., leading to database corruption. This issue affects PostgreSQL versions before 12.2, before 11.7, before 10.12 and before 9.6.17.

Affected Version(s)

postgresql 12.2

postgresql 11.7

postgresql 10.12

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1720
x_refsource_CONFIRM
https://www.postgresql.org/about/news/2011/
x_refsource_MISC
http://lists.opensuse.org/opensuse-security-announce/2020...
vendor-advisoryx_refsource_SUSE

CVSS V3.1

Score:
3.1
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.