Improper access control in PostgreSQL

#VU48437 Improper access control in PostgreSQL

Cybersecurity Help s.r.o.

Published: 2020-11-16 | Updated: 2020-11-16

Vulnerability identifier: #VU48437

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-25694

CWE-ID: CWE-284

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PostgreSQL
Server applications / Database software

Vendor: PostgreSQL Global Development Group

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote attacker can perform a man-in-the-middle attack or observe clear-text transmissions and downgrade connection security settings.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

PostgreSQL: 13.0, 12.0 - 12.4, 11.0 - 11.9, 10.0 - 10.14, 9.6.0 - 9.6.19, 9.5.0 - 9.5.23

External links
http://bugzilla.redhat.com/show_bug.cgi?id=1894423
http://www.postgresql.org/about/news/postgresql-131-125-1110-1015-9620-and-9524-released-2111/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Dell XtremIO X2

Multiple vulnerabilities in Dell Security Management

Multiple vulnerabilities in IBM Security Access Manager

Multiple vulnerabilities in Dell EMC Unity

Amazon Linux AMI update for postgresql92

CentOS 7 update for postgresql

Zoho ManageEngine OpManager update for PostgreSQL

Red Hat Enterprise Linux 7 update for postgresql

Red Hat Enterprise Linux 8.1 update for the postgresql:9.6 module