CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
20.0%
PostgreSQL project reports:
An attacker able to create and drop non-temporary objects could
inject SQL code that would be executed by a concurrent pg_dump
session with the privileges of the role running pg_dump
(which is often a superuser). The attack involves replacing a
sequence or similar object with a view or foreign table that will
execute malicious code. To prevent this, introduce a new server
parameter restrict_nonsystem_relation_kind that can disable
expansion of non-builtin views as well as access to foreign
tables, and teach pg_dump to set it when available. Note that the
attack is prevented only if both pg_dump and the server it is
dumping from are new enough to have this fix.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
FreeBSD | any | noarch | postgresql12-client | < 12.20 | UNKNOWN |
FreeBSD | any | noarch | postgresql13-client | < 13.16 | UNKNOWN |
FreeBSD | any | noarch | postgresql14-client | < 14.13 | UNKNOWN |
FreeBSD | any | noarch | postgresql15-client | < 15.8 | UNKNOWN |
FreeBSD | any | noarch | postgresql16-client | < 16.4 | UNKNOWN |
FreeBSD | any | noarch | postgresql12-server | < 12.20 | UNKNOWN |
FreeBSD | any | noarch | postgresql13-server | < 13.16 | UNKNOWN |
FreeBSD | any | noarch | postgresql14-server | < 14.13 | UNKNOWN |
FreeBSD | any | noarch | postgresql15-server | < 15.8 | UNKNOWN |
FreeBSD | any | noarch | postgresql16-server | < 16.4 | UNKNOWN |
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
Low
EPSS
Percentile
20.0%