Insufficient Comparison

Affecting postgresql-9.6 package, versions <9.6.20-0+deb9u1

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

Affected versions of this package are vulnerable to Insufficient Comparison. A flaw was found in the psql interactive terminal of PostgreSQL in versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If an interactive psql session uses \gset when querying a compromised server, the attacker can execute arbitrary code as the operating system account running psql. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Remediation

Upgrade postgresql-9.6 to version or higher.

References

CVSS Score

7.5
high severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE
CVE-2020-25696
CWE
CWE-183 CWE-270 CWE-697
Snyk ID
SNYK-DEBIAN9-POSTGRESQL96-1040154
Disclosed
23 Nov, 2020
Published
12 Nov, 2020