CVE-2020-14350 — Untrusted Search Path in Postgresql
Severity
7.3HIGHNVD
EPSS
0.0%
top 91.43%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedAug 24
Latest updateFeb 15
Description
It was found that some PostgreSQL extensions did not use search_path safely in their installation script. An attacker with sufficient privileges could use this flaw to trick an administrator into executing a specially crafted script, during the installation or update of such extension. This affects PostgreSQL versions before 12.4, before 11.9, before 10.14, before 9.6.19, and before 9.5.23.
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:HExploitability: 1.3 | Impact: 5.9
Affected Packages4 packages
▶CVEListV5postgresql/postgresqlPostgreSQL versions before 12.4, before 11.9, before 10.14, before 9.6.19, and before 9.5.23
Also affects: Debian Linux 9.0, Ubuntu Linux 16.04, 18.04, 20.04
🔴Vulnerability Details
3📋Vendor Advisories
3Microsoft▶
It was found that some PostgreSQL extensions did not use search_path safely in their installation script. An attacker with sufficient privileges could use this flaw to trick an administrator into exec↗2020-08-11
💬Community
6Bugzilla▶
CVE-2020-14350 postgresql:12/postgresql: Uncontrolled search path element in CREATE EXTENSION [fedora-all]↗2020-08-13
Bugzilla▶
CVE-2020-14350 postgresql: Uncontrolled search path element in CREATE EXTENSION [fedora-all]↗2020-08-13
Bugzilla▶
CVE-2020-14350 postgresql:10/postgresql: Uncontrolled search path element in CREATE EXTENSION [fedora-all]↗2020-08-13
Bugzilla▶
CVE-2020-14350 postgresql:11/postgresql: Uncontrolled search path element in CREATE EXTENSION [fedora-all]↗2020-08-13
Bugzilla▶
CVE-2020-14350 postgresql:9.6/postgresql: Uncontrolled search path element in CREATE EXTENSION [fedora-all]↗2020-08-13