PT-2019-19427 · Postgresql+1 · Postgresql+1

Jacob Wilkin

Publicado

2019-04-01

Atualizado

2026-03-10

CVE-2019-9193

CVSS v2.0

9.0

Alta

Vetor

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions PostgreSQL versions 9.3 through 11.2

Description The issue allows superusers and users in the 'pg execute server program' group to execute arbitrary code in the context of the database's operating system user through the "COPY TO/FROM PROGRAM" function. This functionality can be abused to run arbitrary operating system commands on Windows, Linux, and macOS.

Recommendations For PostgreSQL versions 9.3 through 11.2, consider restricting access to the 'COPY TO/FROM PROGRAM' function to prevent arbitrary code execution, or remove users from the 'pg execute server program' group unless necessary. As a temporary workaround, consider disabling the 'COPY TO/FROM PROGRAM' function until a more permanent solution is available.

Exploit

Correção

OS Command Injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-78

Identificadores relacionados

ALT-PU-2019-1785

ALT-PU-2019-1786

ALT-PU-2019-1787

ALT-PU-2019-1788

CESA-2020_3669

CESA-2020_5619

CVE-2019-9193

RHSA-2020_3669

RHSA-2020_5619

Produtos afetados

Alt Linux

Postgresql

PT-2019-19427 · Postgresql+1 · Postgresql+1

CVE-2019-9193

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 22