Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.1094
PostgresSQL -- ALTER ... DEPENDS ON EXTENSION is missing
authorization checks
30 March 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: PostgresSQL
Publisher: FreeBSD
Operating System: FreeBSD
Impact/Access: Unauthorised Access -- Existing Account
Reduced Security -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2020-1720
Reference: ESB-2020.1082
ESB-2020.1033
ESB-2020.0981
ESB-2020.0515
Original Bulletin:
https://www.vuxml.org/freebsd/d331f691-71f4-11ea-8bb5-6cc21735f730.html
- --------------------------BEGIN INCLUDED TEXT--------------------
PostgresSQL -- ALTER ... DEPENDS ON EXTENSION is missing authorization checks
Affected packages
postgresql12-server < 12.2
postgresql11-server < 11.7
postgresql10-server < 10.12
postgresql96-server < 9.6.17
Details
VuXML ID d331f691-71f4-11ea-8bb5-6cc21735f730
Discovery 2020-02-13
Entry 2020-03-29
The PostgreSQL project reports:
Versions Affected: 9.6 - 12
The ALTER ... DEPENDS ON EXTENSION sub-commands do not perform
authorization checks, which can allow an unprivileged user to drop any
function, procedure, materialized view, index, or trigger under certain
conditions. This attack is possible if an administrator has installed an
extension and an unprivileged user can CREATE, or an extension owner either
executes DROP EXTENSION predictably or can be convinced to execute DROP
EXTENSION.
[source]
References
CVE Name CVE-2020-1720
URL https://www.postgresql.org/about/news/1960/
Copyright (C) 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXoGOu2aOgq3Tt24GAQgWJhAArR/HYYLwMU0w/uzwl/pld05E+7oyacE/
CEOjxfDccFwr8vuWOxLkolaeYx2ZA4cLlGZ4qGGABih9HOaH4mAvr2nv4HGtSjKg
nMZ3WRtj1UWAiOwOMIzbmXQwf9JoZ3Ubu6pacpQlYKFE/aVE8VaWw8MQMqmev+6A
64NQmPoEiYanX7fzbWXR691UaOfplvm+LjLqCso6CUBt2qU1H59syJTto9qqrMBt
EGOxuMzoHCzwpHn8NoiJNgTa4J06gj0IOXzaqKzYI8Md1tmh2CRVVfN4JBXWOliM
q51cH9rjGch7E/vJr7JVS+1hoWhwVD6iFTbHNu/s1/8meAOGF8JhC/c5FsFpEmfi
hZP4DyDERvNhU5pHBEyu1xVW+rkXyDukXJFpPXfRsjQ2Sf0CbUIS6rJmPnGJW4QD
liuWD3aBpRq8v9tqjKBeGarJJXXJaWlcuugwPVIUCsIzCOG/y8An9dkiIIDVNoNM
MYgfIejepSOdD2OUDX1F/W3NKtIkr8/8A1J8zrKDmbldMc9uCCmLhe8pGKTp3Ylq
B1D5z8DIeNutpDnhuk89xt8jsKNKaM/pBWG4E5m9QFrjuS/LJa3R09lkd2MPL5cr
Hn9cm9+wb9IDgKr46u2qFV1UFdRMKz3ghEqgeypYwCJE0DwJk4ofZxJh9LPdHT9y
qxCH4pJxtFQ=
=7AJf
-----END PGP SIGNATURE-----