Alpine: postgresql13: security update to 13.20-r0

high Tenable Self-Hosted Container Security Plugin ID 420935

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral(),
PQescapeIdentifier(), PQescapeString(), and PQescapeStringConn() allows a database input provider to
achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the application to
use the function result to construct input to psql, the PostgreSQL interactive terminal. Similarly,
improper neutralization of quoting syntax in PostgreSQL command line utility programs allows a source of
command line arguments to achieve SQL injection when client_encoding is BIG5 and server_encoding is one of
EUC_TW or MULE_INTERNAL. Versions before PostgreSQL 17.3, 16.7, 15.11, 14.16, and 13.19 are affected.
(CVE-2025-1094)

See Also

https://security.alpinelinux.org/vuln/CVE-2025-1094

Plugin Details

Severity: High

ID: 420935

Version: Revision 1.17

Type: Local

Published: 2/21/2025

Updated: 11/7/2025

Supported Sensors: Agentless Assessment

Risk Information

VPR

Risk Factor: High

Score: 7.9

Percentile: 99.36

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2025-1094

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.5

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 2/11/2025

Exploitable With

Metasploit (BeyondTrust Privileged Remote Access (PRA) and Remote Support (RS) unauthenticated Remote Code Execution)

Reference Information

CVE: CVE-2025-1094

IAVB: 2025-B-0028