It was found that some PostgreSQL extensions did not use search_path safely in their installation script. An attacker with sufficient privileges could use this flaw to trick an administrator into executing a specially crafted script during the installation or update of such extension. This affects PostgreSQL versions before 12.4 before 11.9 before 10.14 before 9.6.19 and before 9.5.23.

🗓️ 28 Aug 2020 07:00:00Reported by MicrosoftType

Unsafe search_path in PostgreSQL extension installs enables crafted scripts on versions before 12.4, 11.9, 10.14, 9.6.19, and 9.5.23.

Reporter	Title	Published	Views	Family All 206
ALT Linux	Security fix for the ALT Linux 8 package postgresql11 version 11.9-alt0.M80P.1	20 Aug 202000:00	–	altlinux
ALT Linux	Security fix for the ALT Linux 10 package postgresql15 version 12.4-alt1	12 Aug 202000:00	–	altlinux
ALT Linux	Security fix for the ALT Linux 8 package postgresql9.6 version 9.6.19-alt0.M80P.1	20 Aug 202000:00	–	altlinux
ALT Linux	Security fix for the ALT Linux 9 package postgresql9.6 version 9.6.19-alt1	18 Aug 202000:00	–	altlinux
ALT Linux	Security fix for the ALT Linux 9 package postgresql12-1C version 11.9-alt1	12 Aug 202000:00	–	altlinux
ALT Linux	Security fix for the ALT Linux 8 package postgresql10 version 10.14-alt0.M80P.1	20 Aug 202000:00	–	altlinux
ALT Linux	Security fix for the ALT Linux 10 package postgresql12 version 12.4-alt1	12 Aug 202000:00	–	altlinux
ALT Linux	Security fix for the ALT Linux 10 package postgresql13 version 12.4-alt1	12 Aug 202000:00	–	altlinux
ALT Linux	Security fix for the ALT Linux 8 package postgresql11-1C version 11.9-alt0.M80P.1	20 Aug 202000:00	–	altlinux
ALT Linux	Security fix for the ALT Linux 10 package postgresql14 version 12.4-alt1	12 Aug 202000:00	–	altlinux

Vulners

Node

28 Aug 2020 07:00Current

7High risk

Vulners AI Score7

CVSS 24.4

CVSS 3.17.3

EPSS0.0003