Vulnerability CVE-2020-14349: Information

Description

It was found that PostgreSQL versions before 12.4, before 11.9 and before 10.14 did not properly sanitize the search_path during logical replication. An authenticated attacker could use this flaw in an attack similar to CVE-2018-1058, in order to execute arbitrary SQL command in the context of the user used for replication.

Severity: HIGH (7.1) Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2020-14349

Published: Aug. 24, 2020

Modified: Jan. 24, 2023

Error type identifier: CWE-89, CWE-427

Fixed packages

Package name	Branch	Fixed in version	Version from repository	Errata ID	Task #	State
postgresql10	p10	10.14-alt1	10.23-alt1.p10.1	ALT-PU-2020-2538-1	256186	Fixed
postgresql10	p9	10.14-alt1	10.23-alt0.M90P.1	ALT-PU-2020-2605-1	256187	Fixed
postgresql10	p8	10.14-alt0.M80P.1	10.19-alt0.M80P.1	ALT-PU-2020-2643-1	256188	Fixed
postgresql10	c10f1	10.14-alt1	10.23-alt1	ALT-PU-2020-2538-1	256186	Fixed
postgresql10	c9f2	10.14-alt1	10.23-alt0.M90P.1	ALT-PU-2020-2605-1	256187	Fixed
postgresql11	p10	11.9-alt1	11.22-alt0.p10.1	ALT-PU-2020-2540-1	256186	Fixed
postgresql11	p9	11.9-alt1	11.22-alt0.M90P.1	ALT-PU-2020-2607-1	256187	Fixed
postgresql11	p8	11.9-alt0.M80P.1	11.14-alt0.M80P.1	ALT-PU-2020-2645-1	256188	Fixed
postgresql11	c10f1	11.9-alt1	11.22-alt0.p10.1	ALT-PU-2020-2540-1	256186	Fixed
postgresql11	c9f2	11.9-alt1	11.22-alt0.M90P.1	ALT-PU-2020-2607-1	256187	Fixed
postgresql11-1C	p8	11.9-alt0.M80P.1	11.12-alt0.M80P.2	ALT-PU-2020-2644-1	256188	Fixed
postgresql12	sisyphus	12.4-alt1	12.18-alt1	ALT-PU-2020-2535-1	256186	Fixed
postgresql12	p10	12.4-alt1	12.18-alt0.p10.1	ALT-PU-2020-2535-1	256186	Fixed
postgresql12	p9	12.4-alt1	12.18-alt0.M90P.1	ALT-PU-2020-2602-1	256187	Fixed
postgresql12	p8	12.4-alt0.M80P.1	12.9-alt0.M80P.1	ALT-PU-2020-2646-1	256188	Fixed
postgresql12	c10f1	12.4-alt1	12.18-alt0.p10.1	ALT-PU-2020-2535-1	256186	Fixed
postgresql12	c9f2	12.4-alt1	12.18-alt0.c9f2.1	ALT-PU-2020-2602-1	256187	Fixed

References to Advisories, Solutions, and Tools

Hyperlink	Resource
https://bugzilla.redhat.com/show_bug.cgi?id=1865744	Issue Tracking Third Party Advisory
openSUSE-SU-2020:1243	Mailing List Third Party Advisory
openSUSE-SU-2020:1244	Mailing List Third Party Advisory
openSUSE-SU-2020:1228	Broken Link Mailing List Third Party Advisory
GLSA-202008-13	Third Party Advisory
USN-4472-1	Third Party Advisory
openSUSE-SU-2020:1312	Mailing List Third Party Advisory
openSUSE-SU-2020:1326	Mailing List Third Party Advisory
https://security.netapp.com/advisory/ntap-20200918-0002/	Third Party Advisory

Affected configurations:
1. Configuration 1
  cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
  Start including
  10.0
  End excliding
  10.14
  cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
  Start including
  11.0
  End excliding
  11.9
  cpe:2.3:a:postgresql:postgresql:*:*:*:*:*:*:*:*
  Start including
  12.0
  End excliding
  12.4
  
  Configuration 2
  cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
  cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*

Version: v24.4.2

Vulnerability CVE-2020-14349: Information

Description

Fixed packages

References to Advisories, Solutions, and Tools

Configuration 1

Configuration 2