CVE-2019-9193

CVSS v2.0

9.0

High

Vector

AV:N/AC:L/Au:S/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions PostgreSQL versions 9.3 through 11.2

Description The issue allows superusers and users in the 'pg execute server program' group to execute arbitrary code in the context of the database's operating system user through the "COPY TO/FROM PROGRAM" function. This functionality can be abused to run arbitrary operating system commands on Windows, Linux, and macOS.

Recommendations For PostgreSQL versions 9.3 through 11.2, consider restricting access to the 'COPY TO/FROM PROGRAM' function to prevent arbitrary code execution, or remove users from the 'pg execute server program' group unless necessary. As a temporary workaround, consider disabling the 'COPY TO/FROM PROGRAM' function until a more permanent solution is available.

Exploit

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-78

Related Identifiers

ALT-PU-2019-1785

ALT-PU-2019-1786

ALT-PU-2019-1787

ALT-PU-2019-1788

CESA-2020_3669

CESA-2020_5619

CVE-2019-9193

RHSA-2020_3669

RHSA-2020_5619

Affected Products

Alt Linux

Postgresql

CVE-2019-9193

Weakness Enumeration

Related Identifiers

Affected Products

References · 22