CVE-2020-25696

2020-11-1300:00:00

ubuntu.com

7.6 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

HIGH

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:H/Au:N/C:C/I:C/A:C

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

0.004 Low

EPSS

Percentile

73.0%

JSON

A flaw was found in the psql interactive terminal of PostgreSQL in versions
before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and
before 9.5.24. If an interactive psql session uses \gset when querying a
compromised server, the attacker can execute arbitrary code as the
operating system account running psql. The highest threat from this
vulnerability is to data confidentiality and integrity as well as system
availability.

Notes

Author	Note
leosilva	PostgreSQL 9.1 is end of life upstream, and no updates are are available. Marking as ignored in precise. PostgreSQL 9.3 is end of life upstream, and no updates are are available. Marking as deferred in -esm-main releases.

OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchpostgresql-10< 10.15-0ubuntu0.18.04.1UNKNOWN
ubuntu20.04noarchpostgresql-12< 12.5-0ubuntu0.20.04.1UNKNOWN
ubuntu20.10noarchpostgresql-12< 12.5-0ubuntu0.20.10.1UNKNOWN
ubuntu14.04noarchpostgresql-9.3< anyUNKNOWN
ubuntu16.04noarchpostgresql-9.5< 9.5.24-0ubuntu0.16.04.1UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	18.04	noarch	postgresql-10	< 10.15-0ubuntu0.18.04.1	UNKNOWN
ubuntu	20.04	noarch	postgresql-12	< 12.5-0ubuntu0.20.04.1	UNKNOWN
ubuntu	20.10	noarch	postgresql-12	< 12.5-0ubuntu0.20.10.1	UNKNOWN
ubuntu	14.04	noarch	postgresql-9.3	< any	UNKNOWN
ubuntu	16.04	noarch	postgresql-9.5	< 9.5.24-0ubuntu0.16.04.1	UNKNOWN