Amazon Linux 2 : libpq (ALASPOSTGRESQL13-2025-010)

🗓️ 06 Mar 2025 00:00:00Reported by TenableType

libpq prior to version 13.20-1 is vulnerable to SQL injection via improper quoting syntax.

Reporter	Title	Published	Views	Family All 448
0day.today	BeyondTrust Remote Code Execution Exploit	20 Feb 202500:00	–	zdt
GithubExploit	Exploit for CVE-2025-1094	14 Mar 202520:21	–	githubexploit
GithubExploit	Exploit for CVE-2025-1094	27 Feb 202511:08	–	githubexploit
GithubExploit	Exploit for CVE-2025-1094	5 Mar 202504:20	–	githubexploit
GithubExploit	Exploit for CVE-2025-1094	19 Oct 202518:08	–	githubexploit
GithubExploit	Exploit for CVE-2025-1094	18 Jun 202515:18	–	githubexploit
GithubExploit	Exploit for CVE-2025-1094	23 Jun 202518:01	–	githubexploit
GithubExploit	Exploit for CVE-2025-1094	10 May 202611:48	–	githubexploit
IBM Security Bulletins	Security Bulletin: Multiple Vulnerabilities Affected for EDB	21 Jul 202513:52	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Sterling Connect:Direct Web Services 6.1 is affected by PostgreSQL vulnerability.	11 Apr 202516:51	–	ibm

Source	Link
alas	www.alas.aws.amazon.com/AL2/ALASPOSTGRESQL13-2025-010.html
alas	www.alas.aws.amazon.com/cve/html/CVE-2025-1094.html
alas	www.alas.aws.amazon.com/faqs.html
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Amazon Linux 2 Security Advisory ALASPOSTGRESQL13-2025-010.
##

include('compat.inc');

if (description)
{
  script_id(232225);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/10/30");

  script_cve_id("CVE-2025-1094");

  script_name(english:"Amazon Linux 2 : libpq (ALASPOSTGRESQL13-2025-010)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Amazon Linux 2 host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"The version of libpq installed on the remote host is prior to 13.20-1. It is, therefore, affected by a vulnerability as
referenced in the ALAS2POSTGRESQL13-2025-010 advisory.

    Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(),
    PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to
    achieve SQL injection in certain usage patterns.  Specifically, SQL injection requires the application to
    use the function result to construct input to psql, the PostgreSQL interactive terminal.  Similarly,
    improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of
    command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of
    EUC_TW or MULE_INTERNAL.  Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.
    (CVE-2025-1094)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/AL2/ALASPOSTGRESQL13-2025-010.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2025-1094.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/faqs.html");
  script_set_attribute(attribute:"solution", value:
"Run 'yum update libpq' to update your system.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-1094");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) unauthenticated Remote Code Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/02/11");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/03/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/03/06");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libpq");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libpq-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:libpq-devel");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Amazon Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");

  exit(0);
}

include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

var alas_release = get_kb_item("Host/AmazonLinux/release");
if (isnull(alas_release) || !strlen(alas_release)) audit(AUDIT_OS_NOT, "Amazon Linux");
var os_ver = pregmatch(pattern: "^AL(A|\d+|-\d+)", string:alas_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
os_ver = os_ver[1];
if (os_ver != "2")
{
  if (os_ver == 'A') os_ver = 'AMI';
  audit(AUDIT_OS_NOT, "Amazon Linux 2", "Amazon Linux " + os_ver);
}

if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

var REPOS_FOUND = TRUE;
var extras_list = get_kb_item("Host/AmazonLinux/extras_label_list");
if (isnull(extras_list)) REPOS_FOUND = FALSE;
var repository = '"amzn2extra-postgresql13"';
if (REPOS_FOUND && (repository >!< extras_list)) exit(0, AFFECTED_REPO_NOT_ENABLED);

var pkgs = [
    {'reference':'libpq-13.20-1.amzn2.0.1', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'postgresql13'},
    {'reference':'libpq-13.20-1.amzn2.0.1', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'postgresql13'},
    {'reference':'libpq-13.20-1.amzn2.0.1', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'postgresql13'},
    {'reference':'libpq-debuginfo-13.20-1.amzn2.0.1', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'postgresql13'},
    {'reference':'libpq-debuginfo-13.20-1.amzn2.0.1', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'postgresql13'},
    {'reference':'libpq-debuginfo-13.20-1.amzn2.0.1', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'postgresql13'},
    {'reference':'libpq-devel-13.20-1.amzn2.0.1', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'postgresql13'},
    {'reference':'libpq-devel-13.20-1.amzn2.0.1', 'cpu':'i686', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'postgresql13'},
    {'reference':'libpq-devel-13.20-1.amzn2.0.1', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'postgresql13'}
];

var flag = 0;
foreach var package_array ( pkgs ) {
  var reference = NULL;
  var _release = NULL;
  var sp = NULL;
  var _cpu = NULL;
  var el_string = NULL;
  var rpm_spec_vers_cmp = NULL;
  var epoch = NULL;
  var allowmaj = NULL;
  var exists_check = NULL;
  var cves = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) _release = package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
  if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
  if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
  if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
  if (!empty_or_null(package_array['cves'])) cves = package_array['cves'];
  if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {
    if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  var extra = rpm_report_get();
  if (!REPOS_FOUND) extra = rpm_report_get() + report_repo_caveat();
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : extra
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libpq / libpq-debuginfo / libpq-devel");
}

30 Oct 2025 00:00Current

8.2High risk

Vulners AI Score8.2

CVSS 3.18.1

EPSS0.82364

SSVC

libpq vulnerability sql injection improper quoting postgresql versions prior to 13.20-1