CVE-2020-25695
published 2020-11-16CVE-2020-25695: A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. An attacker having permission to…
PriorityP271high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
46.44%
98.7th percentile
A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. An attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL functions under the identity of a superuser. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | postgresql-13 | < postgresql-13 13.1-1 (bullseye) | postgresql-13 13.1-1 (bullseye) |
| msrc | cm1_postgresql_12.7-1_on_cbl_mariner_1.0 | — | — |
| postgresql | postgresql | < 9.5.24 | 9.5.24 |
| postgresql | postgresql | — | — |
| postgresql | postgresql | >= 10.0 < 10.15 | 10.15 |
| postgresql | postgresql | >= 11.0 < 11.10 | 11.10 |
| postgresql | postgresql | >= 12.0 < 12.5 | 12.5 |
| postgresql | postgresql | >= 13.0 < 13.1 | 13.1 |
| postgresql | postgresql | >= 9.6.0 < 9.6.20 | 9.6.20 |
Detection & IOCsextracted from sources · hover to see the quote
- →Exploit abuses 'security restricted operation' sandbox escape via maintenance commands; monitor for non-superuser execution of ANALYZE, CLUSTER, REINDEX, CREATE INDEX, VACUUM FULL, REFRESH MATERIALIZED VIEW, or pg_dump restores that result in superuser-context SQL execution ↗
- →Upstream patch commit for CVE-2020-25695 can be used to identify patched vs. unpatched PostgreSQL binaries or diff for detection rule development ↗
- →Public exploit/PoC walkthrough available at the external reference URL; monitor for access to this resource by internal hosts as a potential indicator of attacker reconnaissance ↗
- →Attacker must have permission to create non-temporary objects in at least one schema; audit PostgreSQL schema-creation privileges for non-superuser accounts as a detection/hardening measure ↗
- ·Vulnerable PostgreSQL versions are before 13.1, 12.5, 11.10, 10.15, 9.6.20, and 9.5.24; any instance running these versions is exploitable if a non-superuser has schema object creation rights ↗
- ·Disabling autovacuum and avoiding ANALYZE, CLUSTER, REINDEX, CREATE INDEX, VACUUM FULL, REFRESH MATERIALIZED VIEW, and pg_dump restores is a temporary workaround only; VACUUM (without FULL) and commands on trusted-user-owned objects remain safe ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
vendor_redhat8.8HIGH
vendor_ubuntu8.1HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
PostgreSQL vulnerabilities
vendor_ubuntu·2020-11-17·CVSS 8.1
CVE-2020-25694 [HIGH] PostgreSQL vulnerabilities
Title: PostgreSQL vulnerabilities
Summary: Several security issues were fixed in PostgreSQL.
Peter Eisentraut discovered that PostgreSQL incorrectly handled connection
security settings. Client applications could possibly be connecting with
certain security parameters dropped, contrary to expectations.
(CVE-2020-25694)
Etienne Stalmans discovered that PostgreSQL incorrectly handled the
security restricted operation sandbox. An authenticated remote attacker
could possibly use this issue to execute arbitrary SQL functions as a
superuser. (CVE-2020-25695)
Nick Cleaton discovered that PostgreSQL incorrectly handled the \gset
meta-command. A remote attacker with a compromised server could possibly
use this issue to execute arbitrary code. (CVE-2020-25696)
Instructions: This update uses a n
Red Hat
postgresql: Multiple features escape "security restricted operation" sandbox
vendor_redhat·2020-11-12·CVSS 8.8
CVE-2020-25695 [HIGH] CWE-89 postgresql: Multiple features escape "security restricted operation" sandbox
postgresql: Multiple features escape "security restricted operation" sandbox
A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. An attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL functions under the identity of a superuser. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
A flaw was found in postgresql. An attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL functions under the identity of a superuser. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Statement: In Red
Microsoft
A flaw was found in PostgreSQL versions before 13.1 before 12.5 before 11.10 before 10.15 before 9.6.20 and before 9.5.24. An attacker having permission to create non-temporary objects in at least one
vendor_msrc·2020-11-10·CVSS 8.8
CVE-2020-25695 [HIGH] CWE-89 A flaw was found in PostgreSQL versions before 13.1 before 12.5 before 11.10 before 10.15 before 9.6.20 and before 9.5.24. An attacker having permission to create non-temporary objects in at least one
A flaw was found in PostgreSQL versions before 13.1 before 12.5 before 11.10 before 10.15 before 9.6.20 and before 9.5.24. An attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL functions under the identity of a superuser. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed t
Debian
CVE-2020-25695: postgresql-13 - A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, ...
vendor_debian·2020·CVSS 8.8
CVE-2020-25695 [HIGH] CVE-2020-25695: postgresql-13 - A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, ...
A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. An attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL functions under the identity of a superuser. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Scope: local
bullseye: resolved (fixed in 13.1-1)
GHSA
SQL Injection
ghsa_unreviewed·2022-02-15
CVE-2020-25695 [HIGH] CWE-89 SQL Injection
SQL Injection
A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. An attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL functions under the identity of a superuser. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
OSV
postgresql-10, postgresql-12, postgresql-9.5 vulnerabilities
osv·2020-11-17·CVSS 8.1
CVE-2020-25694 [HIGH] postgresql-10, postgresql-12, postgresql-9.5 vulnerabilities
postgresql-10, postgresql-12, postgresql-9.5 vulnerabilities
Peter Eisentraut discovered that PostgreSQL incorrectly handled connection
security settings. Client applications could possibly be connecting with
certain security parameters dropped, contrary to expectations.
(CVE-2020-25694)
Etienne Stalmans discovered that PostgreSQL incorrectly handled the
security restricted operation sandbox. An authenticated remote attacker
could possibly use this issue to execute arbitrary SQL functions as a
superuser. (CVE-2020-25695)
Nick Cleaton discovered that PostgreSQL incorrectly handled the \gset
meta-command. A remote attacker with a compromised server could possibly
use this issue to execute arbitrary code. (CVE-2020-25696)
OSV
CVE-2020-25695: A flaw was found in PostgreSQL versions before 13
osv·2020-11-16·CVSS 8.8
CVE-2020-25695 [HIGH] CVE-2020-25695: A flaw was found in PostgreSQL versions before 13
A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. An attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL functions under the identity of a superuser. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
No detection rules found.
No public exploits indexed.
https://bugzilla.redhat.com/show_bug.cgi?id=1894425https://lists.debian.org/debian-lts-announce/2020/12/msg00005.htmlhttps://security.gentoo.org/glsa/202012-07https://security.netapp.com/advisory/ntap-20201202-0003/https://www.postgresql.org/support/security/https://bugzilla.redhat.com/show_bug.cgi?id=1894425https://lists.debian.org/debian-lts-announce/2020/12/msg00005.htmlhttps://security.gentoo.org/glsa/202012-07https://security.netapp.com/advisory/ntap-20201202-0003/https://www.postgresql.org/support/security/
2020-11-16
Published