CVE-2020-25695SQL Injection in Postgresql

CWE-89SQL Injection9 documents8 sources
Severity
8.8HIGHNVD
OSV8.1
EPSS
23.8%
top 3.98%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
PostgresqlDebian Postgresql-13Debian Linux+1 more
Timeline
PublishedNov 16
Latest updateFeb 15

Description

A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. An attacker having permission to create non-temporary objects in at least one schema can execute arbitrary SQL functions under the identity of a superuser. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages4 packages

debiandebian/postgresql-13< postgresql-13 13.1-1 (bullseye)
NVDpostgresql/postgresql9.6.09.6.20+5
CVEListV5postgresql/postgresqlAll PostgreSQL versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24

Also affects: Debian Linux 9.0

🔴Vulnerability Details

3
GHSA
SQL Injection2022-02-15
OSV
postgresql-10, postgresql-12, postgresql-9.5 vulnerabilities2020-11-17
OSV
CVE-2020-25695: A flaw was found in PostgreSQL versions before 132020-11-16

📋Vendor Advisories

4
Ubuntu
PostgreSQL vulnerabilities2020-11-17
Red Hat
postgresql: Multiple features escape "security restricted operation" sandbox2020-11-12
Microsoft
A flaw was found in PostgreSQL versions before 13.1 before 12.5 before 11.10 before 10.15 before 9.6.20 and before 9.5.24. An attacker having permission to create non-temporary objects in at least one2020-11-10
Debian
CVE-2020-25695: postgresql-13 - A flaw was found in PostgreSQL versions before 13.1, before 12.5, before 11.10, ...2020

💬Community

1
Bugzilla
CVE-2020-25695 postgresql: Multiple features escape "security restricted operation" sandbox2020-11-04
CVE-2020-25695 — SQL Injection in Postgresql | cvebase