CVE-2020-14350

CVE-2020-14350

Name

CVE-2020-14350

Description

It was found that some PostgreSQL extensions did not use search_path safely in their installation script. An attacker with sufficient privileges could use this flaw to trick an administrator into executing a specially crafted script, during the installation or update of such extension. This affects PostgreSQL versions before 12.4, before 11.9, before 10.14, before 9.6.19, and before 9.5.23.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
Mailing List	http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00043.html
Issue Tracking	https://bugzilla.redhat.com/show_bug.cgi?id=1865746
Mailing List	http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00050.html
Mailing List	https://lists.debian.org/debian-lts-announce/2020/08/msg00028.html
Mailing List	http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00049.html
Mailing List	http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00044.html
Third Party Advisory	https://security.gentoo.org/glsa/202008-13
UBUNTU	https://usn.ubuntu.com/4472-1/
SUSE	http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00003.html
SUSE	http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00008.html
CONFIRM	https://security.netapp.com/advisory/ntap-20200918-0002/

Type

URI

Mailing List

http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00043.html

Issue Tracking

https://bugzilla.redhat.com/show_bug.cgi?id=1865746

Mailing List

http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00050.html

Mailing List

https://lists.debian.org/debian-lts-announce/2020/08/msg00028.html

Mailing List

http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00049.html

Mailing List

http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00044.html

Third Party Advisory

https://security.gentoo.org/glsa/202008-13

UBUNTU

https://usn.ubuntu.com/4472-1/

SUSE

http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00003.html

SUSE

http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00008.html

CONFIRM

https://security.netapp.com/advisory/ntap-20200918-0002/

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:postgresql:postgresql::::::::`	postgresql	>= 9.5	< 9.5.23
`cpe:2.3:a:postgresql:postgresql::::::::`	postgresql	>= 9.6	< 9.6.19
`cpe:2.3:a:postgresql:postgresql::::::::`	postgresql	>= 10.0	< 10.14
`cpe:2.3:a:postgresql:postgresql::::::::`	postgresql	>= 11.0	< 11.9
`cpe:2.3:a:postgresql:postgresql::::::::`	postgresql	>= 12.0	< 12.4

CPE URI

Source package

Min version

Max version