OS Command Injection

Affecting postgresql-11 package, versions *

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

** DISPUTED ** In PostgreSQL 9.3 through 11.2, the "COPY TO/FROM PROGRAM" function allows superusers and users in the 'pg_execute_server_program' group to execute arbitrary code in the context of the database's operating system user. This functionality is enabled by default and can be abused to run arbitrary operating system commands on Windows, Linux, and macOS. NOTE: Third parties claim/state this is not an issue because PostgreSQL functionality for ‘COPY TO/FROM PROGRAM’ is acting as intended. References state that in PostgreSQL, a superuser can execute commands as the server user without using the ‘COPY FROM PROGRAM’.

References

CVSS Score

7.2
low severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    High
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H/E:F
CVE
CVE-2019-9193
CWE
CWE-78
Snyk ID
SNYK-DEBIAN10-POSTGRESQL11-342098
Disclosed
01 Apr, 2019
Published
01 Apr, 2019