SQL Injection

Affecting postgresql-11 package, versions <11.9-0+deb10u1

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

Affected versions of this package are vulnerable to SQL Injection. It was found that PostgreSQL versions before 12.4, before 11.9 and before 10.14 did not properly sanitize the search_path during logical replication. An authenticated attacker could use this flaw in an attack similar to CVE-2018-1058, in order to execute arbitrary SQL command in the context of the user used for replication.

Remediation

Upgrade postgresql-11 to version or higher.

References

CVSS Score

7.1
high severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    Low
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
CVE
CVE-2020-14349
CWE
CWE-427 CWE-89
Snyk ID
SNYK-DEBIAN10-POSTGRESQL11-598393
Disclosed
24 Aug, 2020
Published
13 Aug, 2020