Home

CVE-2020-14349

Description

It was found that PostgreSQL versions before 12.4, before 11.9 and before 10.14 did not properly sanitize the search_path during logical replication. An authenticated attacker could use this flaw in an attack similar to CVE-2018-1058, in order to execute arbitrary SQL command in the context of the user used for replication.

Risk Information

Base Score
7.1
MODERATE
Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
1.548

Associated Vulnerability

VulnerabilityOS Platform
Vulnerabilities CVE-2020-14350 Announcement,CVE-2020-14349 Announcement are fixed in Postgresql 10.14Windows
Vulnerabilities CVE-2020-14350 Announcement,CVE-2020-14349 Announcement are fixed in Postgresql 11.9Windows
Vulnerabilities CVE-2020-14350 Announcement,CVE-2020-14349 Announcement are fixed in Postgresql 12.4Windows
Vulnerabilities CVE-2020-14350,CVE-2020-14349 are fixed in PostgreSQL 12.4Windows
Vulnerabilities CVE-2020-14350,CVE-2020-14349 are fixed in PostgreSQL 11.9Windows
Vulnerabilities CVE-2020-14350,CVE-2020-14349 are fixed in PostgreSQL 10.14Windows
Object-relational SQL database (USN-4472-1) postgresql-10_10.14-0ubuntu0.18.04.1_i386.debLinux
Object-relational SQL database (USN-4472-1) postgresql-10_10.14-0ubuntu0.18.04.1_amd64.debLinux
Object-relational SQL database (USN-4472-1) postgresql-12_12.4-0ubuntu0.20.04.1_i386.debLinux
Object-relational SQL database (USN-4472-1) postgresql-12_12.4-0ubuntu0.20.04.1_amd64.debLinux
Object-relational SQL database (USN-4472-1) postgresql-9.5_9.5.23-0ubuntu0.16.04.1_i386.debLinux
Object-relational SQL database (USN-4472-1) postgresql-9.5_9.5.23-0ubuntu0.16.04.1_amd64.debLinux
SUSE-SU-2020:3630-1(SUSE Linux Enterprise Server 12-SP5 ) libecpg6-12.5-3.9.3.x86_64.rpmLinux
SUSE-SU-2020:3630-1(SUSE Linux Enterprise Server 12-SP5 ) libecpg6-debuginfo-12.5-3.9.3.x86_64.rpmLinux
SUSE-SU-2020:3630-1(SUSE Linux Enterprise Server 12-SP5 ) libpq5-12.5-3.9.3.x86_64.rpmLinux
SUSE-SU-2020:3630-1(SUSE Linux Enterprise Server 12-SP5 ) libpq5-32bit-12.5-3.9.3.x86_64.rpmLinux
SUSE-SU-2020:3630-1(SUSE Linux Enterprise Server 12-SP5 ) libpq5-debuginfo-12.5-3.9.3.x86_64.rpmLinux
SUSE-SU-2020:3630-1(SUSE Linux Enterprise Server 12-SP5 ) libpq5-debuginfo-32bit-12.5-3.9.3.x86_64.rpmLinux
SUSE-SU-2020:3630-1(SUSE Linux Enterprise Server 12-SP5 ) postgresql12-12.5-3.9.3.x86_64.rpmLinux
SUSE-SU-2020:3630-1(SUSE Linux Enterprise Server 12-SP5 ) postgresql12-contrib-12.5-3.9.3.x86_64.rpmLinux
SUSE-SU-2020:3630-1(SUSE Linux Enterprise Server 12-SP5 ) postgresql12-contrib-debuginfo-12.5-3.9.3.x86_64.rpmLinux
SUSE-SU-2020:3630-1(SUSE Linux Enterprise Server 12-SP5 ) postgresql12-debuginfo-12.5-3.9.3.x86_64.rpmLinux
SUSE-SU-2020:3630-1(SUSE Linux Enterprise Server 12-SP5 ) postgresql12-debugsource-12.5-3.9.1.x86_64.rpmLinux
SUSE-SU-2020:3630-1(SUSE Linux Enterprise Server 12-SP5 ) postgresql12-debugsource-12.5-3.9.3.x86_64.rpmLinux
SUSE-SU-2020:3630-1(SUSE Linux Enterprise Server 12-SP5 ) postgresql12-docs-12.5-3.9.3.noarch.rpmLinux
SUSE-SU-2020:3630-1(SUSE Linux Enterprise Server 12-SP5 ) postgresql12-plperl-12.5-3.9.3.x86_64.rpmLinux
SUSE-SU-2020:3630-1(SUSE Linux Enterprise Server 12-SP5 ) postgresql12-plperl-debuginfo-12.5-3.9.3.x86_64.rpmLinux
SUSE-SU-2020:3630-1(SUSE Linux Enterprise Server 12-SP5 ) postgresql12-plpython-12.5-3.9.3.x86_64.rpmLinux
SUSE-SU-2020:3630-1(SUSE Linux Enterprise Server 12-SP5 ) postgresql12-plpython-debuginfo-12.5-3.9.3.x86_64.rpmLinux
SUSE-SU-2020:3630-1(SUSE Linux Enterprise Server 12-SP5 ) postgresql12-pltcl-12.5-3.9.3.x86_64.rpmLinux
SUSE-SU-2020:3630-1(SUSE Linux Enterprise Server 12-SP5 ) postgresql12-pltcl-debuginfo-12.5-3.9.3.x86_64.rpmLinux
SUSE-SU-2020:3630-1(SUSE Linux Enterprise Server 12-SP5 ) postgresql12-server-12.5-3.9.3.x86_64.rpmLinux
SUSE-SU-2020:3630-1(SUSE Linux Enterprise Server 12-SP5 ) postgresql12-server-debuginfo-12.5-3.9.3.x86_64.rpmLinux
Vulnerabilities CVE-2020-14350 Announcement,CVE-2020-14349 Announcement are fixed in Postgresql 10.14 (For Linux)Linux
Vulnerabilities CVE-2020-14350 Announcement,CVE-2020-14349 Announcement are fixed in Postgresql 11.9 (For Linux)Linux
Vulnerabilities CVE-2020-14350 Announcement,CVE-2020-14349 Announcement are fixed in Postgresql 12.4 (For Linux)Linux
(RHSA-2020:5620) postgresql:12 security update pgaudit-1.4.0-4.module+el8.3.0+9042+664538f4.x86_64.rpmLinux
(RHSA-2020:5620) postgresql:12 security update pgaudit-debugsource-1.4.0-4.module+el8.3.0+9042+664538f4.x86_64.rpmLinux
(RHSA-2020:5620) postgresql:12 security update postgres-decoderbufs-0.10.0-2.module+el8.3.0+9042+664538f4.x86_64.rpmLinux
(RHSA-2020:5620) postgresql:12 security update postgres-decoderbufs-debugsource-0.10.0-2.module+el8.3.0+9042+664538f4.x86_64.rpmLinux
(RHSA-2020:5620) postgresql:12 security update postgresql-12.5-1.module+el8.3.0+9042+664538f4.x86_64.rpmLinux
(RHSA-2020:5620) postgresql:12 security update postgresql-contrib-12.5-1.module+el8.3.0+9042+664538f4.x86_64.rpmLinux
(RHSA-2020:5620) postgresql:12 security update postgresql-debugsource-12.5-1.module+el8.3.0+9042+664538f4.x86_64.rpmLinux
(RHSA-2020:5620) postgresql:12 security update postgresql-docs-12.5-1.module+el8.3.0+9042+664538f4.x86_64.rpmLinux
(RHSA-2020:5620) postgresql:12 security update postgresql-plperl-12.5-1.module+el8.3.0+9042+664538f4.x86_64.rpmLinux
(RHSA-2020:5620) postgresql:12 security update postgresql-plpython3-12.5-1.module+el8.3.0+9042+664538f4.x86_64.rpmLinux
(RHSA-2020:5620) postgresql:12 security update postgresql-pltcl-12.5-1.module+el8.3.0+9042+664538f4.x86_64.rpmLinux
(RHSA-2020:5620) postgresql:12 security update postgresql-server-12.5-1.module+el8.3.0+9042+664538f4.x86_64.rpmLinux
(RHSA-2020:5620) postgresql:12 security update postgresql-server-devel-12.5-1.module+el8.3.0+9042+664538f4.x86_64.rpmLinux
(RHSA-2020:5620) postgresql:12 security update postgresql-static-12.5-1.module+el8.3.0+9042+664538f4.x86_64.rpmLinux
(RHSA-2020:5620) postgresql:12 security update postgresql-test-12.5-1.module+el8.3.0+9042+664538f4.x86_64.rpmLinux
(RHSA-2020:5620) postgresql:12 security update postgresql-test-rpm-macros-12.5-1.module+el8.3.0+9042+664538f4.noarch.rpmLinux
(RHSA-2020:5620) postgresql:12 security update postgresql-upgrade-12.5-1.module+el8.3.0+9042+664538f4.x86_64.rpmLinux
(RHSA-2020:5620) postgresql:12 security update postgresql-upgrade-devel-12.5-1.module+el8.3.0+9042+664538f4.x86_64.rpmLinux
Rh-postgresql10-postgresql update (ELSA-2021-9290) rh-postgresql10-postgresql-10.15-1.el7.x86_64.rpmLinux
Rh-postgresql10-postgresql-contrib update (ELSA-2021-9290) rh-postgresql10-postgresql-contrib-10.15-1.el7.x86_64.rpmLinux
Rh-postgresql10-postgresql-contrib-syspaths update (ELSA-2021-9290) rh-postgresql10-postgresql-contrib-syspaths-10.15-1.el7.x86_64.rpmLinux
Rh-postgresql10-postgresql-devel update (ELSA-2021-9290) rh-postgresql10-postgresql-devel-10.15-1.el7.x86_64.rpmLinux
Rh-postgresql10-postgresql-docs update (ELSA-2021-9290) rh-postgresql10-postgresql-docs-10.15-1.el7.x86_64.rpmLinux
Rh-postgresql10-postgresql-libs update (ELSA-2021-9290) rh-postgresql10-postgresql-libs-10.15-1.el7.x86_64.rpmLinux
Rh-postgresql10-postgresql-plperl update (ELSA-2021-9290) rh-postgresql10-postgresql-plperl-10.15-1.el7.x86_64.rpmLinux
Rh-postgresql10-postgresql-plpython update (ELSA-2021-9290) rh-postgresql10-postgresql-plpython-10.15-1.el7.x86_64.rpmLinux
Rh-postgresql10-postgresql-pltcl update (ELSA-2021-9290) rh-postgresql10-postgresql-pltcl-10.15-1.el7.x86_64.rpmLinux
Rh-postgresql10-postgresql-server update (ELSA-2021-9290) rh-postgresql10-postgresql-server-10.15-1.el7.x86_64.rpmLinux
Rh-postgresql10-postgresql-server-syspaths update (ELSA-2021-9290) rh-postgresql10-postgresql-server-syspaths-10.15-1.el7.x86_64.rpmLinux
Rh-postgresql10-postgresql-static update (ELSA-2021-9290) rh-postgresql10-postgresql-static-10.15-1.el7.x86_64.rpmLinux
Rh-postgresql10-postgresql-syspaths update (ELSA-2021-9290) rh-postgresql10-postgresql-syspaths-10.15-1.el7.x86_64.rpmLinux
Rh-postgresql10-postgresql-test update (ELSA-2021-9290) rh-postgresql10-postgresql-test-10.15-1.el7.x86_64.rpmLinux
Vulnerabilities CVE-2020-14350,CVE-2020-14349 are fixed in PostgreSQL 12.4 (For Linux)Linux
Vulnerabilities CVE-2020-14350,CVE-2020-14349 are fixed in PostgreSQL 11.9 (For Linux)Linux
Vulnerabilities CVE-2020-14350,CVE-2020-14349 are fixed in PostgreSQL 10.14 (For Linux)Linux

Patch Details

No records found

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234