CVE-2020-1720

Published: 13 February 2020

A flaw was found in PostgreSQL's "ALTER ... DEPENDS ON EXTENSION", where sub-commands did not perform authorization checks. An authenticated attacker could use this flaw in certain configurations to perform drop objects such as function, triggers, et al., leading to database corruption. This issue affects PostgreSQL versions before 12.2, before 11.7, before 10.12 and before 9.6.17.

Notes

Author	Note
mdeslaur	affected 9.6 and higher only

Priority

Cvss 3 Severity Score

6.5

Score breakdown

Status

Package	Release	Status
postgresql-10 Launchpad, Ubuntu, Debian	bionic	Released (10.12-0ubuntu0.18.04.1)
	eoan	Does not exist
	trusty	Does not exist
	upstream	Needs triage
	xenial	Does not exist
postgresql-11 Launchpad, Ubuntu, Debian	bionic	Does not exist
	eoan	Released (11.7-0ubuntu0.19.10.1)
	trusty	Does not exist
	upstream	Needs triage
	xenial	Does not exist
postgresql-12 Launchpad, Ubuntu, Debian	bionic	Does not exist
	eoan	Does not exist
	trusty	Does not exist
	upstream	Released (12.2-1)
	xenial	Does not exist
postgresql-9.1 Launchpad, Ubuntu, Debian	bionic	Does not exist
	eoan	Does not exist
	trusty	Does not exist
	upstream	Needs triage
	xenial	Does not exist
postgresql-9.3 Launchpad, Ubuntu, Debian	bionic	Does not exist
	eoan	Does not exist
	trusty	Not vulnerable
	upstream	Needs triage
	xenial	Does not exist
postgresql-9.5 Launchpad, Ubuntu, Debian	bionic	Does not exist
	eoan	Does not exist
	trusty	Does not exist
	upstream	Needs triage
	xenial	Not vulnerable

Severity score breakdown

Parameter	Value
Base score	6.5
Attack vector	Network
Attack complexity	Low
Privileges required	Low
User interaction	None
Scope	Unchanged
Confidentiality	None
Integrity impact	High
Availability impact	None
Vector	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References

Join the discussion

Canonical is offering Expanded Security Maintenance

Canonical is offering Ubuntu Expanded Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM ›