8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.6 High
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:H/Au:N/C:C/I:C/A:C
0.026 Low
EPSS
Percentile
90.1%
Severity: High
Date : 2020-11-17
CVE-ID : CVE-2020-25694 CVE-2020-25695 CVE-2020-25696
Package : postgresql
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-1276
The package postgresql before version 12.5-1 is vulnerable to multiple
issues including sandbox escape, arbitrary code execution and silent
downgrade.
Upgrade to 12.5-1.
The problems have been fixed upstream in version 12.5.
None.
A security issue has been found in PostgreSQL before 12.5. Many
PostgreSQL-provided client applications have options that create
additional database connections. Some of those applications reuse only
the basic connection parameters (e.g. host, user, port), dropping
others. If this drops a security-relevant parameter (e.g.
channel_binding, sslmode, requirepeer, gssencmode), the attacker has an
opportunity to complete a MITM attack or observe cleartext
transmission.
Affected applications are clusterdb, pg_dump, pg_restore, psql,
reindexdb, and vacuumdb. The vulnerability arises only if one invokes
an affected client application with a connection string containing a
security-relevant parameter.
A security issue has been found in PostgreSQL before 12.5, where an
attacker having permission to create non-temporary objects in at least
one schema can execute arbitrary SQL functions under the identity of a
superuser.
While promptly updating PostgreSQL is the best remediation for most
users, a user unable to do that can work around the vulnerability by
disabling autovacuum and not manually running ANALYZE, CLUSTER,
REINDEX, CREATE INDEX, VACUUM FULL, REFRESH MATERIALIZED VIEW, or a
restore from output of the pg_dump command. Performance may degrade
quickly under this workaround. VACUUM without the FULL option is safe,
and all commands are fine when a trusted user owns the target object.
A security issue has been found in PostgreSQL before 12.5, where psql’s
\gset allows overwriting specially treated variables. The \gset meta-
command, which sets psql variables based on query results, does not
distinguish variables that control psql behavior. If an interactive
psql session uses \gset when querying a compromised server, the
attacker can execute arbitrary code as the operating system account
running psql. Using \gset with a prefix not found among specially
treated variables, e.g. any lowercase string, precludes the attack in
an unpatched psql.
An attacker in position of man-in-the-middle might be able to access
sensitive information or even alter SQL commands. A remote,
authenticated attacker might be able to escape the PG sandbox and
execute arbitrary code on the server.
https://www.postgresql.org/about/news/postgresql-131-125-1110-1015-9620-and-9524-released-2111/
https://security.archlinux.org/CVE-2020-25694
https://security.archlinux.org/CVE-2020-25695
https://security.archlinux.org/CVE-2020-25696
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ArchLinux | any | any | postgresql | < 12.5-1 | UNKNOWN |
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.6 High
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:H/Au:N/C:C/I:C/A:C
0.026 Low
EPSS
Percentile
90.1%