Описание
A flaw was discovered in postgresql versions 9.4.x before 9.4.24, 9.5.x before 9.5.19, 9.6.x before 9.6.15, 10.x before 10.10 and 11.x before 11.5 where arbitrary SQL statements can be executed given a suitable SECURITY DEFINER function. An attacker, with EXECUTE permission on the function, can execute arbitrary SQL as the owner of the function.
A flaw was discovered in postgresql where arbitrary SQL statements can be executed given a suitable SECURITY DEFINER function. An attacker, with EXECUTE permission on the function, can execute arbitrary SQL as the owner of the function.
Отчет
Red Hat Virtualization Management Appliance included affected versions of postgresql, however no custom SECURITY DEFINER functions are declared so this vulnerability can not be exploited in the default configuration.
Меры по смягчению последствий
If your use case requires SECURITY DEFINER functions, please follow the advice below to write them safely so they do not rely on search_path and restrict the set of users which can access them. https://www.postgresql.org/docs/devel/sql-createfunction.html#SQL-CREATEFUNCTION-SECURITY
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Decision Manager 7 | postgresql | Not affected | ||
| Red Hat Enterprise Linux 5 | postgresql | Out of support scope | ||
| Red Hat Enterprise Linux 6 | postgresql | Out of support scope | ||
| Red Hat Enterprise Linux 8 | libpq | Not affected | ||
| Red Hat Process Automation 7 | postgresql | Not affected | ||
| Red Hat Satellite 5 | rh-postgresql95-postgresql | Out of support scope | ||
| Red Hat Storage 3 | rhevm-dependencies | Not affected | ||
| Red Hat Virtualization 4 | rh-postgresql10-postgresql | Will not fix | ||
| Red Hat Virtualization 4 | rh-postgresql95-postgresql | Out of support scope | ||
| Red Hat Enterprise Linux 7 | postgresql | Fixed | RHSA-2021:1512 | 06.05.2021 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.5 High
CVSS3
Связанные уязвимости
A flaw was discovered in postgresql versions 9.4.x before 9.4.24, 9.5.x before 9.5.19, 9.6.x before 9.6.15, 10.x before 10.10 and 11.x before 11.5 where arbitrary SQL statements can be executed given a suitable SECURITY DEFINER function. An attacker, with EXECUTE permission on the function, can execute arbitrary SQL as the owner of the function.
A flaw was discovered in postgresql versions 9.4.x before 9.4.24, 9.5.x before 9.5.19, 9.6.x before 9.6.15, 10.x before 10.10 and 11.x before 11.5 where arbitrary SQL statements can be executed given a suitable SECURITY DEFINER function. An attacker, with EXECUTE permission on the function, can execute arbitrary SQL as the owner of the function.
A flaw was discovered in postgresql versions 9.4.x before 9.4.24, 9.5. ...
EPSS
7.5 High
CVSS3