CVE-2020-10733

Name of the Vulnerable Software and Affected Versions PostgreSQL versions 9.5 through 12

Description The issue is related to the Windows installer for PostgreSQL, which invokes system-provided executables without fully-qualified paths. This allows executables in the directory where the installer loads or the current working directory to take precedence over the intended executables. An attacker with permission to add files to one of these directories can execute arbitrary code with the installer's administrative rights. The vulnerability is associated with incorrect path handling, which can be exploited to elevate privileges and execute arbitrary code.

Recommendations For PostgreSQL versions 9.5 through 12, consider restricting access to the directories where the installer loads or the current working directory to minimize the risk of exploitation. Avoid executing the installer in directories where an attacker may have permission to add files. At the moment, there is no information about a newer version that contains a fix for this vulnerability.