cbcvebase.
CVE-2020-25695
published 2020-11-16

CVE-2020-25695: A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. An attacker having permission to…

PriorityP271high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
46.44%
98.7th percentile
A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. An attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL functions under the identity of a superuser. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Affected

10 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debianpostgresql-13< postgresql-13 13.1-1 (bullseye)postgresql-13 13.1-1 (bullseye)
msrccm1_postgresql_12.7-1_on_cbl_mariner_1.0
postgresqlpostgresql< 9.5.249.5.24
postgresqlpostgresql
postgresqlpostgresql>= 10.0 < 10.1510.15
postgresqlpostgresql>= 11.0 < 11.1011.10
postgresqlpostgresql>= 12.0 < 12.512.5
postgresqlpostgresql>= 13.0 < 13.113.1
postgresqlpostgresql>= 9.6.0 < 9.6.209.6.20

Detection & IOCsextracted from sources · hover to see the quote

  • Exploit abuses 'security restricted operation' sandbox escape via maintenance commands; monitor for non-superuser execution of ANALYZE, CLUSTER, REINDEX, CREATE INDEX, VACUUM FULL, REFRESH MATERIALIZED VIEW, or pg_dump restores that result in superuser-context SQL execution
  • Upstream patch commit for CVE-2020-25695 can be used to identify patched vs. unpatched PostgreSQL binaries or diff for detection rule development
  • Public exploit/PoC walkthrough available at the external reference URL; monitor for access to this resource by internal hosts as a potential indicator of attacker reconnaissance
  • Attacker must have permission to create non-temporary objects in at least one schema; audit PostgreSQL schema-creation privileges for non-superuser accounts as a detection/hardening measure
  • ·Vulnerable PostgreSQL versions are before 13.1, 12.5, 11.10, 10.15, 9.6.20, and 9.5.24; any instance running these versions is exploitable if a non-superuser has schema object creation rights
  • ·Disabling autovacuum and avoiding ANALYZE, CLUSTER, REINDEX, CREATE INDEX, VACUUM FULL, REFRESH MATERIALIZED VIEW, and pg_dump restores is a temporary workaround only; VACUUM (without FULL) and commands on trusted-user-owned objects remain safe

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
vendor_msrc8.8HIGH
vendor_redhat8.8HIGH
vendor_ubuntu8.1HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.