7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
0.975 High
EPSS
Percentile
100.0%
DISPUTED In PostgreSQL 9.3 through 11.2, the βCOPY TO/FROM PROGRAMβ
function allows superusers and users in the βpg_execute_server_programβ
group to execute arbitrary code in the context of the databaseβs operating
system user. This functionality is enabled by default and can be abused to
run arbitrary operating system commands on Windows, Linux, and macOS. NOTE:
Third parties claim/state this is not an issue because PostgreSQL
functionality for βCOPY TO/FROM PROGRAMβ is acting as intended. References
state that in PostgreSQL, a superuser can execute commands as the server
user without using the βCOPY FROM PROGRAMβ.
Author | Note |
---|---|
mdeslaur | upstream doesnβt consider this to be a security issue. Marking as not-affected |
launchpad.net/bugs/cve/CVE-2019-9193
medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5
nvd.nist.gov/vuln/detail/CVE-2019-9193
paquier.xyz/postgresql-2/postgres-9-3-feature-highlight-copy-tofrom-program/
security-tracker.debian.org/tracker/CVE-2019-9193
www.cve.org/CVERecord?id=CVE-2019-9193
www.postgresql.org/about/news/1935/
7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
0.975 High
EPSS
Percentile
100.0%