CVE-2020-1720

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

A flaw was found in PostgreSQL's "ALTER ... DEPENDS ON EXTENSION", where sub-commands did not perform authorization checks. An authenticated attacker could use this flaw in certain configurations to perform drop objects such as function, triggers, et al., leading to database corruption. This issue affects PostgreSQL versions before 12.2, before 11.7, before 10.12 and before 9.6.17.

References

http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00043.html

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1720

https://www.postgresql.org/about/news/2011/

Details

Source: MITRE

Published: 2020-03-17

Updated: 2020-08-17

Type: CWE-862

Risk Information

CVSS v2

Base Score: 3.5

Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N

Impact Score: 2.9

Exploitability Score: 6.8

Severity: LOW

CVSS v3

Base Score: 6.5

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Impact Score: 3.6

Exploitability Score: 2.8

Severity: MEDIUM

Tenable Plugins

View all (34 total)

IDNameProductFamilySeverity
150722Oracle Linux 7 : rh-postgresql10-postgresql (ELSA-2021-9290)NessusOracle Linux Local Security Checks
high
146009CentOS 8 : postgresql:9.6 (CESA-2020:5619)NessusCentOS Local Security Checks
high
146002CentOS 8 : postgresql:12 (CESA-2020:5620)NessusCentOS Local Security Checks
high
145882CentOS 8 : postgresql:10 (CESA-2020:3669)NessusCentOS Local Security Checks
high
145243RHEL 8 : postgresql:10 (RHSA-2021:0166)NessusRed Hat Local Security Checks
high
145227RHEL 8 : postgresql:9.6 (RHSA-2021:0167)NessusRed Hat Local Security Checks
high
145044RHEL 8 : postgresql:12 (RHSA-2021:0163)NessusRed Hat Local Security Checks
high
145043RHEL 8 : postgresql:9.6 (RHSA-2021:0164)NessusRed Hat Local Security Checks
high
144565Oracle Linux 8 : ELSA-2020-5619-1: / postgresql:9.6 (ELSA-2020-56191)NessusOracle Linux Local Security Checks
high
144564Oracle Linux 8 : ELSA-2020-5620-1: / postgresql:12 (ELSA-2020-56201)NessusOracle Linux Local Security Checks
high
144560RHEL 8 : postgresql:9.6 (RHSA-2020:5661)NessusRed Hat Local Security Checks
high
144559RHEL 8 : postgresql:10 (RHSA-2020:5664)NessusRed Hat Local Security Checks
high
144417RHEL 8 : postgresql:12 (RHSA-2020:5620)NessusRed Hat Local Security Checks
high
144395RHEL 8 : postgresql:9.6 (RHSA-2020:5619)NessusRed Hat Local Security Checks
high
141979Amazon Linux AMI : postgresql96 (ALAS-2020-1443)NessusAmazon Linux Local Security Checks
high
140486Oracle Linux 8 : postgresql:10 (ELSA-2020-3669)NessusOracle Linux Local Security Checks
high
140398RHEL 8 : postgresql:10 (RHSA-2020:3669)NessusRed Hat Local Security Checks
high
139655openSUSE Security Update : postgresql96 / postgresql10 and postgresql12 (openSUSE-2020-1227)NessusSuSE Local Security Checks
high
139407SUSE SLED15 / SLES15 Security Update : postgresql10 / postgresql12 (SUSE-SU-2020:2149-1)NessusSuSE Local Security Checks
medium
136865EulerOS 2.0 SP8 : postgresql (EulerOS-SA-2020-1587)NessusHuawei Local Security Checks
medium
135793Photon OS 3.0: Postgresql PHSA-2020-3.0-0080NessusPhotonOS Local Security Checks
medium
135486Photon OS 1.0: Postgresql PHSA-2020-1.0-0287NessusPhotonOS Local Security Checks
medium
135000FreeBSD : PostgresSQL -- ALTER ... DEPENDS ON EXTENSION is missing authorization checks (d331f691-71f4-11ea-8bb5-6cc21735f730)NessusFreeBSD Local Security Checks
medium
134855SUSE SLED15 / SLES15 Security Update : postgresql10 (SUSE-SU-2020:0752-1)NessusSuSE Local Security Checks
medium
134698SUSE SLED12 / SLES12 Security Update : postgresql10 (SUSE-SU-2020:0715-1)NessusSuSE Local Security Checks
medium
134470GLSA-202003-03 : PostgreSQL: Multiple vulnerabilitiesNessusGentoo Local Security Checks
high
134397openSUSE Security Update : postgresql10 (openSUSE-2020-331)NessusSuSE Local Security Checks
medium
134296SUSE SLED15 / SLES15 Security Update : postgresql10 (SUSE-SU-2020:0589-1)NessusSuSE Local Security Checks
medium
134295SUSE SLES12 Security Update : postgresql96 (SUSE-SU-2020:0586-1)NessusSuSE Local Security Checks
medium
133966PostgreSQL 9.6.x < 9.6.17 / 10.x < 10.12 / 11.x < 11.7 / 12.x < 12.2 Missing AuthorizationNessusDatabases
medium
133795Ubuntu 18.04 LTS / 19.10 : PostgreSQL vulnerability (USN-4282-1)NessusUbuntu Local Security Checks
medium
133729Debian DLA-2105-1 : postgresql-9.4 security updateNessusDebian Local Security Checks
medium
133700Debian DSA-4623-1 : postgresql-11 - security updateNessusDebian Local Security Checks
medium
133699Debian DSA-4622-1 : postgresql-9.6 - security updateNessusDebian Local Security Checks
medium