Noah Misch

Nome do Software Vulnerável e Versões Afetadas: Versões do PostgreSQL anteriores a 17.6 Versões do PostgreSQL anteriores a 16.10 Versões do PostgreSQL anteriores a 15.14 Versões do PostgreSQL anteriores a 14.19 Versões do PostgreSQL anteriores a 13.22 Descrição: A neutralização inadequada de quebras de linha no `pg dump` permite que um usuário do servidor de origem injete código arbitrário para execução no momento da restauração, como a conta do sistema operacional do cliente que executa o `psql` para restaurar o dump, via metacomandos do `psql` dentro de um nome de objeto criado especificamente para esse fim. Os mesmos ataques podem efetuar injeção de SQL como um superusuário do servidor de destino da restauração. `pg dumpall`, `pg restore` e `pg upgrade` também são afetados. Recomendações: Atualize para a versão 17.6 ou posterior do PostgreSQL. Atualize para a versão 16.10 ou posterior do PostgreSQL. Atualize para a versão 15.14 ou posterior do PostgreSQL. Atualize para a versão 14.19 ou posterior do PostgreSQL. Atualize para a versão 13.22 ou posterior do PostgreSQL.

**Nome do software vulnerável e versões afetadas** Versões do PostgreSQL anteriores à 16.4 Versões do PostgreSQL anteriores à 15.8 Versões do PostgreSQL anteriores à 14.13 Versões do PostgreSQL anteriores à 13.16 Versões do PostgreSQL anteriores à 12.20 **Descrição** Uma condição de corrida de tempo de verificação e tempo de uso (TOCTOU) no pg dump do PostgreSQL permite que um criador de objeto execute funções SQL arbitrárias como o usuário que está executando o pg dump, que geralmente é um superusuário. O ataque envolve substituir outro tipo de relação por uma visualização ou tabela externa. O ataque requer aguardar o início do pg dump, mas vencer a condição de corrida é trivial se o invasor mantiver uma transação aberta. Aproximadamente 3.929.844 dispositivos estão potencialmente afetados, distribuídos principalmente nos Estados Unidos, na Alemanha e em outros países. **Recomendações** Para versões anteriores à 16.4, atualize para a versão 16.4 ou posterior. Para versões anteriores à 15.8, atualize para a versão 15.8 ou posterior. Para versões anteriores à 14.13, atualize para a versão 14.13 ou posterior. Para versões anteriores à 13.16, atualize para a versão 13.16 ou posterior. Para versões anteriores à 12.20, atualize para a versão 12.20 ou posterior. Como solução alternativa temporária, considere restringir o acesso ao utilitário pg dump até que um patch esteja disponível. Evite usar o utilitário pg dump com transações abertas para minimizar o risco de exploração.

**Nome do software vulnerável e versões afetadas** Versões do PostgreSQL anteriores à 10.14 Versões do PostgreSQL anteriores à 11.9 Versões do PostgreSQL anteriores à 12.4 **Descrição** O problema está relacionado à sanitização inadequada do `search path` durante a replicação lógica no PostgreSQL, permitindo que um invasor autenticado execute comandos SQL arbitrários no contexto do usuário utilizado para a replicação. Isso poderia potencialmente levar à escalada de privilégios e à execução de comandos arbitrários. **Recomendações** Para versões anteriores à 10.14, atualize para a versão 10.14 ou posterior para resolver o problema. Para versões anteriores à 11.9, atualize para a versão 11.9 ou posterior para resolver o problema. Para versões anteriores à 12.4, atualize para a versão 12.4 ou posterior para resolver o problema.

**Name of the Vulnerable Software and Affected Versions** postgresql versions 11.x prior to 11.3 **Description** A vulnerability was found in the Windows installer for EnterpriseDB-supplied PostgreSQL, which does not lock down the ACL of the binary installation directory or the ACL of the data directory, keeping the inherited ACL. This allows a local attacker to read arbitrary data directory files, essentially bypassing database-imposed read access limitations. In non-default configurations, an attacker with both an unprivileged Windows account and an unprivileged PostgreSQL account can cause the PostgreSQL service account to execute arbitrary code. **Recommendations** For postgresql versions 11.x prior to 11.3, consider updating to version 11.3 or later to resolve the issue. As a temporary workaround, restrict access to the data directory and binary installation directory to minimize the risk of exploitation. Additionally, review and adjust the ACL settings for these directories to ensure proper access control.

Name of the Vulnerable Software and Affected Versions: Postgresql versions prior to 11.5 Postgresql versions prior to 10.10 Postgresql versions prior to 9.6.15 Postgresql versions prior to 9.5.19 Postgresql versions prior to 9.4.24 Description: The issue allows a superuser to write a password to an unprotected temporary file. Recommendations: For versions prior to 11.5, update to version 11.5 or later. For versions prior to 10.10, update to version 10.10 or later. For versions prior to 9.6.15, update to version 9.6.15 or later. For versions prior to 9.5.19, update to version 9.5.19 or later. For versions prior to 9.4.24, update to version 9.4.24 or later.

**Name of the Vulnerable Software and Affected Versions** postgresql versions 11.x prior to 11.3 **Description** A vulnerability allows an attacker to read arbitrary bytes of server memory by using a specially crafted insert to a partitioned table. In the default configuration, any user can create a partitioned table suitable for this attack. **Recommendations** For postgresql versions 11.x prior to 11.3, update to version 11.3 or later to resolve the issue. As a temporary workaround, consider restricting access to create partitioned tables to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** PostgreSQL versions prior to 9.1.23 PostgreSQL versions 9.2.x prior to 9.2.18 PostgreSQL versions 9.3.x prior to 9.3.14 PostgreSQL versions 9.4.x prior to 9.4.9 PostgreSQL versions 9.5.x prior to 9.5.4 **Description** The issue allows remote authenticated users with the CREATEDB or CREATEROLE role to gain superuser privileges via a mishandled database or role name that contains specific characters, including a double quote, backslash, carriage return, or newline character, during an administrative operation. **Recommendations** For versions prior to 9.1.23, update to version 9.1.23 or later. For versions 9.2.x prior to 9.2.18, update to version 9.2.18 or later. For versions 9.3.x prior to 9.3.14, update to version 9.3.14 or later. For versions 9.4.x prior to 9.4.9, update to version 9.4.9 or later. For versions 9.5.x prior to 9.5.4, update to version 9.5.4 or later.

**Name of the Vulnerable Software and Affected Versions** PostgreSQL versions prior to 9.1.20 PostgreSQL versions 9.2.x prior to 9.2.15 PostgreSQL versions 9.3.x prior to 9.3.11 PostgreSQL versions 9.4.x prior to 9.4.6 PostgreSQL versions 9.5.x prior to 9.5.1 **Description** The issue is related to improper access restriction to custom configuration settings (GUCS) for PL/Java in PostgreSQL, allowing attackers to gain privileges via unspecified vectors. This can be exploited by a remote attacker to elevate their privileges. **Recommendations** For versions prior to 9.1.20, update to version 9.1.20 or later. For versions 9.2.x prior to 9.2.15, update to version 9.2.15 or later. For versions 9.3.x prior to 9.3.11, update to version 9.3.11 or later. For versions 9.4.x prior to 9.4.6, update to version 9.4.6 or later. For versions 9.5.x prior to 9.5.1, update to version 9.5.1 or later.

**Name of the Vulnerable Software and Affected Versions** PostgreSQL versions prior to 9.0.20 PostgreSQL versions 9.1.x prior to 9.1.16 PostgreSQL versions 9.2.x prior to 9.2.11 PostgreSQL versions 9.3.x prior to 9.3.7 PostgreSQL versions 9.4.x prior to 9.4.2 **Description** The issue allows attackers to obtain the key via a brute force attack due to different error responses when an incorrect key is used for decryption. This is related to the `pgcrypto` module in PostgreSQL. **Recommendations** For versions prior to 9.0.20, update to version 9.0.20 or later. For versions 9.1.x prior to 9.1.16, update to version 9.1.16 or later. For versions 9.2.x prior to 9.2.11, update to version 9.2.11 or later. For versions 9.3.x prior to 9.3.7, update to version 9.3.7 or later. For versions 9.4.x prior to 9.4.2, update to version 9.4.2 or later.

**Name of the Vulnerable Software and Affected Versions** PostgreSQL versions prior to 9.0.20 PostgreSQL versions 9.1.x prior to 9.1.16 PostgreSQL versions 9.2.x prior to 9.2.11 PostgreSQL versions 9.3.x prior to 9.3.7 PostgreSQL versions 9.4.x prior to 9.4.2 **Description** The issue is related to the snprintf implementation, which does not properly handle system-call errors. This can allow attackers to obtain sensitive information or have other unspecified impact via unknown vectors, such as an out-of-memory error. **Recommendations** For versions prior to 9.0.20, update to version 9.0.20 or later. For versions 9.1.x prior to 9.1.16, update to version 9.1.16 or later. For versions 9.2.x prior to 9.2.11, update to version 9.2.11 or later. For versions 9.3.x prior to 9.3.7, update to version 9.3.7 or later. For versions 9.4.x prior to 9.4.2, update to version 9.4.2 or later.

**Name of the Vulnerable Software and Affected Versions** PostgreSQL versions 9.0.0 through 9.0.18 PostgreSQL versions 9.1.x before 9.1.15 PostgreSQL versions 9.2.x before 9.2.10 PostgreSQL versions 9.3.x before 9.3.6 PostgreSQL versions 9.4.x before 9.4.1 **Description** The issue is related to multiple buffer overflows in the contrib/pgcrypto module of PostgreSQL, allowing remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via unspecified vectors. This is due to memory errors in functions within the pgcrypto extension. **Recommendations** For PostgreSQL versions 9.0.0 through 9.0.18, update to version 9.0.19 or later. For PostgreSQL versions 9.1.x before 9.1.15, update to version 9.1.15 or later. For PostgreSQL versions 9.2.x before 9.2.10, update to version 9.2.10 or later. For PostgreSQL versions 9.3.x before 9.3.6, update to version 9.3.6 or later. For PostgreSQL versions 9.4.x before 9.4.1, update to version 9.4.1 or later.

**Name of the Vulnerable Software and Affected Versions** PostgreSQL versions 8.3 through 8.3.19 PostgreSQL versions 8.4 through 8.4.12 PostgreSQL versions 9.0 through 9.0.8 PostgreSQL versions 9.1 through 9.1.4 **Description** The issue allows remote attackers to determine the existence of arbitrary files or URLs and possibly obtain the file or URL content that triggers a parsing error. This is related to an XML External Entity (XXE) issue, where the `xml parse` function in the libxml2 support can be exploited through an XML value that refers to (1) a DTD or (2) an entity. **Recommendations** For PostgreSQL versions 8.3 through 8.3.19, update to version 8.3.20 or later. For PostgreSQL versions 8.4 through 8.4.12, update to version 8.4.13 or later. For PostgreSQL versions 9.0 through 9.0.8, update to version 9.0.9 or later. For PostgreSQL versions 9.1 through 9.1.4, update to version 9.1.5 or later.

**Name of the Vulnerable Software and Affected Versions** PostgreSQL versions 9.2.x through 9.2.3 PostgreSQL versions 9.1.x through 9.1.8 **Description** The issue allows remote authenticated users to bypass intended backup restrictions. This can be achieved by calling the (1) pg start backup or (2) pg stop backup functions. An unprivileged user can run commands that could interfere with in-progress backups. The vulnerability may lead to a violation of confidentiality, integrity, and availability of protected information and can be exploited remotely by an authenticated attacker. **Recommendations** For PostgreSQL versions 9.2.x through 9.2.3, update to version 9.2.4 or later. For PostgreSQL versions 9.1.x through 9.1.8, update to version 9.1.9 or later. As a temporary workaround, consider restricting access to the pg start backup and pg stop backup functions until a patch is available.