CVE-2019-10127

Name of the Vulnerable Software and Affected Versions PostgreSQL versions 11.x prior to 11.3

Description The issue is related to inadequate access control in the PostgreSQL database management system. Exploitation of this issue can allow an attacker to impact the confidentiality, integrity, and availability of protected information. Specifically, in the default configuration, an attacker with both an unprivileged Windows account and an unprivileged PostgreSQL account can execute arbitrary code through the PostgreSQL service account. An attacker with only an unprivileged Windows account can read arbitrary data directory files, bypassing database-imposed read access limitations, and can also delete certain data directory files.

Recommendations For PostgreSQL versions 11.x prior to 11.3, consider locking down the ACL of the binary installation directory and the ACL of the data directory to prevent exploitation. As a temporary workaround, restrict access to the data directory to minimize the risk of unauthorized file reading or deletion. Additionally, ensure that unprivileged Windows and PostgreSQL accounts are closely monitored and controlled to prevent potential attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.